A top priority for VMware is to maintain the trust awarded to us by our customers. We recognize that unless our products meet the highest standards for security, customers will not be able to utilize them with confidence. To achieve this, the VMware Security Response Center (vSRC) maintains a program to identify, respond and address vulnerabilities. This publication documents our policies for addressing vulnerabilities in VMware Enterprise and Consumer Products (on-prem), describes under what circumstances we will issue a CVE identifier and VMware Security Advisory (VMSA), explains how to report a vulnerability in VMware-maintained code, defines terminology used in our publications and corrective actions, and documents our commitment to safe harbor practices.
VMware publications utilize the industry-standard Common Vulnerability Scoring System (CVSS) in addition to qualitative severity terminology which aligns with FIRST standards
VMware Qualitative Rating
FIRST Qualitative Rating
||Critical||9.0 – 10.0|
|Important||High||7.0 – 8.9
||Medium||4.0 – 6.9|
|Low||Low||0.1 – 3.9|
Note: VMware qualitative rating may change and does not depend only on the CVSS scoring.