After sending cease-and-desist letters to VMware users whose support contracts had expired and who subsequently declined to subscribe to one of Broadcom’s VMware bundles, Broadcom has started the process of conducting audits on former VMware customers.
Broadcom stopped selling VMware perpetual licenses in November 2023 in favor of pushing a small number of VMware SKUs that feature multiple VMware offerings. Since Broadcom is forcefully bundling VMware products, the costs associated with running VMware have skyrocketed, with customers frequently citing 300 percent price hikes and some firms claiming even larger increases. As a result, some VMware users have opted to keep using VMware perpetual licenses, even though Broadcom refuses to renew most of those clients’ support services.
This year, Broadcom started sending such VMware users cease-and-desist letters [PDF], telling organizations to stop using any maintenance releases/updates, minor releases, major releases/upgrades extensions, enhancements, patches, bug fixes, or security patches (except for zero-day security patches) that VMware issued since the user’s support contract ended.
The letters also warned of potential audits, which appear to be underway now.
Broadcom starts auditing
Ars Technica reviewed a letter that a software provider and VMware user in the Netherlands received that is dated June 20 and informs the firm that it “has been selected for a formal audit of its use of VMware software and support services” [PDF]. The security professional who provided Ars with the letter asked to keep their name and their employers’ name anonymous out of privacy concerns.
The anonymous employee told Ars that their company had been a VMware customer for “about” a decade before deciding not to sign up for a new contract with Broadcom’s VMware a year ago. The company had been using VMware Cloud Foundation and vSphere.
“Our CEO decided to not extend the support contract because of the costs,” the employee said. “This already impacts us security-wise because we can no longer get updates (unless the CVSS score is critical).”
The letter notes that an auditing firm, Connor Consulting, which is headquartered in San Francisco and has offices around the globe, will perform a review of the company’s “VMware deployment and entitlements, which may include fieldwork or remote testing and meetings with members of your accounting, licensing, and management information systems functions.” The letter informs its recipient that someone from Connor will reach out and that the VMware user should respond within three business days.
The letter, signed by Aiden Fitzgerald, director of global sales operations at Broadcom, claims that Broadcom will use its time “as efficiently and productively as possible to minimize disruption.”
Still, the security worker that Ars spoke with is concerned about the implications of the audit and said they “expect a big financial impact” for their employer. They added:
Because we are focusing on saving costs and are on a pretty tight financial budget, this will likely have impact on the salary negotiations or even layoffs of employees. Currently, we have some very stressed IT managers [and] legal department [employees] …
The employee noted that they are unsure if their employer exceeded its license limits. If the firm did, it could face “big” financial repercussions, the worker noted.
Users deny wrongdoing
As Broadcom works to ensure that people aren’t using VMware outside its terms, some suggest that the semiconductor giant is wasting some time by investigating organizations that aren’t violating agreements.
After Broadcom started sending cease-and-desist letters, at least one firm claimed that it got a letter from Broadcom despite no longer using VMware at all.
Additionally, various companies claimed that they received a cease-and-desist from Broadcom despite not implementing any updates after their VMware support contract expired.
The employee at the Dutch firm that received an audit notice this month claimed that the only update that their employer has issued to the VMware offerings it uses since support ended was a “critical security patch.”
That employee also claimed to Ars that their company didn’t receive a cease-and-desist letter from Broadcom before being informed of an audit.
Broadcom didn’t respond to Ars' request for comment ahead of publication, so we’re unable to confirm if the company is sending audit letters without sending cease-and-desist letters first. Ars also reached out to Connor but didn’t hear back.
“When we saw the news that they were going to send cease-and-desist letters and audits, our management thought it was a bluff and that they would never do that,” the anonymous security worker said.
Broadcom’s litigious techniques to ensure VMware agreements are followed has soured its image among some current and former customers. Broadcom’s $69 billion VMware acquisition has proven lucrative, but as Broadcom approaches two years of VMware ownership, there are still calls for regulation of its practices, which some customers and partners believe are “legally and ethically flawed.”
Travis Kalanick is trying to buy Pony.ai — and Uber might help