About VMware Security Response Center

A top priority for VMware is to maintain the trust awarded to us by our customers. We recognize that unless our products meet the highest standards for security, customers will not be able to utilize them with confidence. To achieve this, the VMware Security Response Center (vSRC) maintains a program to identify, respond and address vulnerabilities. This publication documents our policies for addressing vulnerabilities in VMware Enterprise and Consumer Products (on-prem), describes under what circumstances we will issue a CVE identifier and VMware Security Advisory (VMSA), explains how to report a vulnerability in VMware-maintained code, defines terminology used in our publications and corrective actions, and documents our commitment to safe harbor practices.

How to Report Vulnerabilities

Process of reporting vulnerabilities to VMware Security Response Center

If you believe you have found a vulnerability in a VMware product or service, please let us know by sending a private email to security@vmware.com. We suggest you use encrypted email to submit your reports. You can find our public PGP key at kb.vmware.com/s/article/1055.

VMware follows responsible vulnerability disclosure guidelines, where the researcher privately reports the newly discovered vulnerability in VMware's products and services directly to VMware. This allows VMware to address the vulnerability in the impacted product and services before any party publicly discloses the vulnerability/exploit details. VMware may credit the researcher following responsible vulnerability disclosure guidelines for vulnerability discovery and reporting.

VMware response timelines are dependent upon several factors such as severity, complexity, impact and product life cycle. VMware will make every effort to publish fix or corrective actions to customers as follows:

  • Critical: Begin work on a fix or corrective action immediately and provide to customers in the shortest commercially reasonable time.
  • Important: Deliver a fix in the next planned maintenance or update release of the product where relevant.
  • Moderate, Low: Deliver a fix with the next planned release of the product.

If you are a VMware customer, we advise you create a support request (SR) with the VMware Global Support Services team.

Understand our Process

VMware Security Response Center’s process of handling suspected vulnerabilities
Step 1

Receive & Acknowledge

Step 2

Triage

Step 3

Investigate

Step 4

Remediate

Step 5

Communicate & Credit

Understanding Severity &
Common Vulnerabilities and Exposures

 

VMware Severity Definitions

VMware publications utilize the industry-standard Common Vulnerability Scoring System (CVSS) in addition to qualitative severity terminology which aligns with FIRST standards

 

VMware Qualitative Rating

FIRST Qualitative Rating

CVSS Score
Critical
Critical 9.0 – 10.0
Important High 7.0 – 8.9
Moderate
Medium 4.0 – 6.9
Low Low 0.1 – 3.9
None
None
0.0

 

Note: VMware qualitative rating may change and does not depend only on the CVSS scoring.

 

Common Vulnerabilities and Exposures (CVEs) Identifiers:

As an approved CVE Numbering Authority (CNA), VMware is authorized to assign CVE identifiers to vulnerabilities affecting products within our distinct, agreed upon scope.

VMware shall issue a CVE identifier for a vulnerability when it meets all the following criteria:

VMware Security Advisories (VMSAs)

VMware discloses vulnerabilities in VMware Security Advisories. VMSAs include the following information:

  • Qualitative Severity Information
  • CVSS Scoring
  • Impacted product suites that are currently supported
  • Vulnerability Descriptions
  • Currently Known Attack Vectors
  • Remediation Information
  • Workarounds for Critical Severity Vulnerabilities (if possible)
  • Notes containing confirmation if exploitation is happening in the wild

Keep Up to Date on the Latest Vulnerabilities

Workarounds

VMware defines a workaround as a supported in-place configuration change which addresses currently known attack vectors for a given vulnerability. VMware will investigate potential workarounds for critical severity vulnerabilities documented in VMSAs.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and VMware will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. 

Report Vulnerability to Our Team