If you believe you have found a vulnerability in a VMware product or service, please let us know by sending a private email to firstname.lastname@example.org. We suggest you use encrypted email to submit your reports. You can find our public PGP key at kb.vmware.com/s/article/1055.
VMware follows responsible vulnerability disclosure guidelines, where the researcher privately reports the newly discovered vulnerability in VMware's products and services directly to VMware. This allows VMware to address the vulnerability in the impacted product and services before any party publicly discloses the vulnerability/exploit details. VMware may credit the researcher following responsible vulnerability disclosure guidelines for vulnerability discovery and reporting.
VMware response timelines are dependent upon several factors such as severity, complexity, impact and product life cycle. VMware will make every effort to publish fix or corrective actions to customers as follows:
- Critical: Begin work on a fix or corrective action immediately and provide to customers in the shortest commercially reasonable time.
- Important: Deliver a fix in the next planned maintenance or update release of the product where relevant.
- Moderate, Low: Deliver a fix with the next planned release of the product.
If you are a VMware customer, we advise you create a support request (SR) with the VMware Global Support Services team.