About VMware Security Response Center
A top priority for VMware is to maintain the trust awarded to us by our customers. We recognize that unless our products meet the highest standards for security, customers will not be able to utilize them with confidence. To achieve this, the VMware Security Response Center (vSRC) maintains a program to identify, respond and address vulnerabilities. This publication documents our policies for addressing vulnerabilities in VMware Enterprise and Consumer Products (on-prem), describes under what circumstances we will issue a CVE identifier and VMware Security Advisory (VMSA), explains how to report a vulnerability in VMware-maintained code, defines terminology used in our publications and corrective actions, and documents our commitment to safe harbor practices.
How to Report Vulnerabilities
If you believe you have found a vulnerability in a VMware product or service, please let us know by sending a private email to email@example.com. We suggest you use encrypted email to submit your reports. You can find our public PGP key at kb.vmware.com/s/article/1055.
VMware follows responsible vulnerability disclosure guidelines, where the researcher privately reports the newly discovered vulnerability in VMware's products and services directly to VMware. This allows VMware to address the vulnerability in the impacted product and services before any party publicly discloses the vulnerability/exploit details. VMware may credit the researcher following responsible vulnerability disclosure guidelines for vulnerability discovery and reporting.
VMware response timelines are dependent upon several factors such as severity, complexity, impact and product life cycle. VMware will make every effort to publish fix or corrective actions to customers as follows:
- Critical: Begin work on a fix or corrective action immediately and provide to customers in the shortest commercially reasonable time.
- Important: Deliver a fix in the next planned maintenance or update release of the product where relevant.
- Moderate, Low: Deliver a fix with the next planned release of the product.
If you are a VMware customer, we advise you create a support request (SR) with the VMware Global Support Services team.
Understand our Process
Receive & Acknowledge
Communicate & Credit
Understanding Severity &
Common Vulnerabilities and Exposures
VMware Severity Definitions
VMware publications utilize the industry-standard Common Vulnerability Scoring System (CVSS) in addition to qualitative severity terminology which aligns with FIRST standards
VMware Qualitative Rating
FIRST Qualitative Rating
||Critical||9.0 – 10.0|
|Important||High||7.0 – 8.9
||Medium||4.0 – 6.9|
|Low||Low||0.1 – 3.9|
Note: VMware qualitative rating may change and does not depend only on the CVSS scoring.
Common Vulnerabilities and Exposures (CVEs) Identifiers:
As an approved CVE Numbering Authority (CNA), VMware is authorized to assign CVE identifiers to vulnerabilities affecting products within our distinct, agreed upon scope.
VMware shall issue a CVE identifier for a vulnerability when it meets all the following criteria:
- The vulnerability is the result of unexpected behavior in VMware-maintained code.
- The vulnerability results in a measurable confidentiality, integrity, or availability compromise.
- The vulnerability exists in one or more currently supported VMware products documented in the VMware Product Lifecycle Matrix or the vulnerability exists in a VMware-maintained open-source project which is currently supported.
VMware Security Advisories (VMSAs)
VMware discloses vulnerabilities in VMware Security Advisories. VMSAs include the following information:
- Qualitative Severity Information
- CVSS Scoring
- Impacted product suites that are currently supported
- Vulnerability Descriptions
- Currently Known Attack Vectors
- Remediation Information
- Workarounds for Critical Severity Vulnerabilities (if possible)
- Notes containing confirmation if exploitation is happening in the wild
Keep Up to Date on the Latest Vulnerabilities
VMware defines a workaround as a supported in-place configuration change which addresses currently known attack vectors for a given vulnerability. VMware will investigate potential workarounds for critical severity vulnerabilities documented in VMSAs.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and VMware will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.