Access to VMware security advisories now requires a Broadcom support account, causing frustration among security professionals. This change, although it involves registering for free, adds friction for those seeking detailed information on vulnerabilities.
May 9th Update
Broadcom has reconsidered its stance, and VMware security advisories are now available without needing to log in to the Broadcom support portal. According to Monty Ijzerman of VMware, there is no longer a need to access the support portal to view a list of security advisories.
Security advisories can be found for the following products without needing to log in:
- VMware Cloud Foundation
- Tanzu
- Application Networking and Security
- Software Defined Edge
Initial Situation
The change was announced by VMware through a blog post without specifying the reasons, which was perceived as a step back in transparency. Although old links will still work, they will redirect to the Broadcom support portal. The only exception is for end-user computing products, whose security advisories will continue to appear in the old feed.
Additionally, it is planned for Broadcom support accounts to receive automatic notifications about new security advisories, although this feature is not yet available.
Reactions from Security Experts
Some experts have even suggested that national security agencies in the EU and the U.S. intervene to stop this measure, labeling it as unacceptable.
Concerns about VMware’s Future under Broadcom
Prior to the acquisition of VMware by Broadcom in 2023, there were fears about the company’s future. Symantec customers, previously acquired by Broadcom, reported a slowdown in product evolution and price increases, raising concerns about the impact on VMware.
Broadcom eliminated VMware’s perpetual licenses in favor of a subscription model, despite VMware already planning this transition. However, this did not stop the criticism, especially for product bundling and price increases, which in some cases have reached increases of 500 to 600%.
The change has also been highlighted as anti-cloud due to the requirement of licenses for a minimum of 3,500 cores and a minimum three-year contract, which, according to CISPE, could be harmful to cloud service providers.