Vulnerability and Patch Management

The Vulnerability Management Program performs vulnerability scans on network, applications, and operating system layers and follows industry best practices. This program includes third-party vulnerability scanning and penetration testing. Results of vulnerability scans are not shared with customers as they do not participate in the vulnerability management program of the service. Because the results are not shared, it ensures confidentiality, integrity, and availability of the hosted VMware services. Vulnerability scans are reviewed during the annual audit and assessment program.
VMware analyzes the severity and impact of potential vulnerabilities, and upgrades all network, utility, and security equipment. VMware subscribes to vendor security and bug-tracking notification services. Remediation efforts are prioritized and applied against critical and high-risk issues. Critical patches are installed on time and non-critical patches are included in the pre-defined patch schedule and applied within reasonable timeframes. Changes are made according to industry best practices.
The QA department completes patch testing and rollback procedures and ensures compatibility with and minimal impact to the production environment. Third-party auditors perform reviews of the vulnerability and patch management process according to industry standards, including ISO 27001. VMware furnishes audit reports under an NDA.