Much to the chagrin of security pros, VMware security advisories are now only viewable if users sign up for a Broadcom Support account first.

Granted, it's free to register a support account, but the change, which was announced earlier this week, may create added friction for infosec professionals looking for details on the bugs they need to squish.

VMware announced the change on Tuesday via a blog post that didn't specify the reason for what will be perceived to be a step backward in openness and transparency. We asked Broadcom, its new owner, for further details but it didn't immediately reply.

URLs for older VMware security advisories will still work, so there's no need to change any browser bookmarks, they'll just instead redirect to the Broadcom Support Portal.

End-user computing (EUC) products are the only exception here. Security advisories for these will still appear in the old feed and won't be made available inside Broadcom's Support Portal.

Even better news: there are plans in place to allow Broadcom Support accounts to receive automatic notifications about new or modified advisories, but that feature isn't working yet.

"Based on customer entitlements and customer settings, the Support Portal will send out notifications to customers that have signed up to receive notifications for new or modified security advisories," blogged Monty Ijzerman, staff technical program manager at VMware's product security incident response team. 

"However, at this time, Support Portal is not yet prepared to send out these notifications when a VMware Security Advisory is published or modified."

Infosec experts widely criticized the move. The main concerns are weakened transparency around security, and some feel it may make the job of aggregating exposure to vulnerabilities a more difficult task.

Speaking to The Register, application security expert Sean Wright said: "This is yet another move in a list of recent changes that Broadcom has made which may cause some controversy. While I understand their desire to move the VMWare brand under their own brand, their approach is questionable.

"While it appears that individual vulnerabilities are publicly available on the Broadcom Support Portal, it will make it harder for security teams to keep track of all vulnerabilities across their VMWare product estate. Many will be unwilling to create yet another account for this purpose.

"Also worth asking is how mechanisms such as RSS feeds would work, or if at all. Many teams will rely on such mechanisms to have some form of automation for new advisories. Ultimately for some, this may turn out to be yet another reason to look to other alternative products."

Some have gone so far as to call on national security agencies in the EU and US to halt Broadcom's latest move, saying "this is not acceptable." 

CISA's official stance on information sharing is that it is "essential to furthering cybersecurity for the nation." It says information should be shared rapidly and seamlessly, and it appears Broadcom's efforts to account-wall its security information may go against this widely accepted industry ideal.

Beyond the negativity directed toward the changes around security advisory accessibility, VMware customers and channel partners have voiced myriad concerns about Broadcom's acquisition.

Fears of what could become of VMware were rife long before the 2023 acquisition by Broadcom, which was perceived by Symantec customers as a company that worsens the entities it absorbs.

Sysadmins told us back in 2022 that following Broadcom's takeover of Symantec, product evolution had slowed and prices were driven up. Industry sources suspected that these were to discourage unwelcome customers.

Similar fears surrounded the situation at VMware. Broadcom soon did away with VMware's perpetual licenses, favoring a subscription model. For context, VMware was planning to switch to subscriptions before Broadcom entered the equation, and a lifeline was thrown to customers already on these licenses.

That didn't stop European cloud trade body CISPE from criticizing Broadcom for the move. Its gripe wasn't with subscriptions, but the company's framing of the changes as pro-innovation and pro-competition.

CISPE said Broadcom was ignoring the concerns about packaging products together, meaning customers could be paying for products they don't want. It also raised concerns about price hikes, which El Reg sources have previously said to be in the 500 to 600 percent region. Some customers' license costs have risen from $8 million to $100 million, we're told.

The trade body also said Broadcom's changes were anti-cloud, requiring cloud services providers to license a minimum of 3,500 cores and a minimum three-year contract.

Separate security issues were also raised, specifically that the patch support for VMware perpetual license holders was "insulting in its limitations," CISPE said. Only patches for critical vulnerabilities would be offered unless customers moved to a subscription. CISPE said this "verges on racketeering."

Broadcom insists it's committed to providing value for customers and partners, and that it has taken customer feedback into account with its offerings. ®

https://www.theregister.com//2024/05/09/vmware_security_advisory_change/