A top priority for VMware is to maintain the trust awarded to us by our customers. We recognize that unless our products meet the highest standards for security, customers will not be able to utilize them with confidence. To achieve this, the VMware Security Response Center (vSRC) maintains a program to identify, respond and address vulnerabilities. This publication documents our policies for addressing vulnerabilities in VMware Enterprise and Consumer Products (on-prem), describes under what circumstances we will issue a CVE identifier and VMware Security Advisory (VMSA), explains how to report a vulnerability in VMware-maintained code, defines terminology used in our publications and corrective actions, and documents our commitment to safe harbor practices.
If you believe you have found a vulnerability in a VMware product or service, please let us know by sending a private email to security@vmware.com. We suggest you use encrypted email to submit your reports. You can find our public PGP key at kb.vmware.com/s/article/1055.
VMware follows responsible vulnerability disclosure guidelines, where the researcher privately reports the newly discovered vulnerability in VMware's products and services directly to VMware. This allows VMware to address the vulnerability in the impacted product and services before any party publicly discloses the vulnerability/exploit details. VMware may credit the researcher following responsible vulnerability disclosure guidelines for vulnerability discovery and reporting.
VMware response timelines are dependent upon several factors such as severity, complexity, impact and product life cycle. VMware will make every effort to publish a fix or corrective actions to customers in the shortest commercially reasonable time based on assessment and severity.
If you are a VMware customer, we advise you create a support request (SR) with the VMware Global Support Services team.
Receive & Acknowledge
Triage
Investigate
Remediate
Communicate & Credit
VMware publications utilize the industry-standard Common Vulnerability Scoring System (CVSS) in addition to qualitative severity terminology which aligns with FIRST standards
VMware Qualitative Rating |
FIRST Qualitative Rating |
CVSS Score |
Critical |
Critical | 9.0 – 10.0 |
Important | High | 7.0 – 8.9 |
Moderate |
Medium | 4.0 – 6.9 |
Low | Low | 0.1 – 3.9 |
None |
None |
0.0 |
Note: VMware qualitative rating may change and does not depend only on the CVSS scoring.
As an approved CVE Numbering Authority (CNA), VMware is authorized to assign CVE identifiers to vulnerabilities affecting products within our distinct, agreed upon scope.
VMware shall issue a CVE identifier for a vulnerability when it meets all the following criteria:
VMware discloses vulnerabilities in VMware Security Advisories. VMSAs include the following information:
Keep Up to Date on the Latest Vulnerabilities
VMware defines a workaround as a supported in-place configuration change which addresses currently known attack vectors for a given vulnerability. VMware will investigate potential workarounds for critical severity vulnerabilities documented in VMSAs.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and VMware will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.