VMware Perpetual License Holder Receives Audit Letter From Broadcom (arstechnica.com)
- Reference: 0178196652
- News link: https://tech.slashdot.org/story/25/06/26/2025246/vmware-perpetual-license-holder-receives-audit-letter-from-broadcom
- Source link: https://arstechnica.com/information-technology/2025/06/vmware-perpetual-license-holder-receives-audit-letter-from-broadcom/
> After sending [1]cease-and-desist letters to VMware users whose support contracts had expired and who subsequently declined to subscribe to one of Broadcom's VMware bundles, Broadcom has [2]started the process of conducting audits on former VMware customers . [...] Ars Technica reviewed a letter that a software provider and VMware user in the Netherlands received that is dated June 20 and informs the firm that it "has been selected for a formal audit of its use of VMware software and support services" [PDF]. The security professional who provided Ars with the letter asked to keep their name and their employers' name anonymous out of privacy concerns.
>
> The anonymous employee told Ars that their company had been a VMware customer for "about" a decade before deciding not to sign up for a new contract with Broadcom's VMware a year ago. The company had been using VMware Cloud Foundation and vSphere. "Our CEO decided to not extend the support contract because of the costs," the employee said. "This already impacts us security-wise because we can no longer get updates (unless the CVSS score is critical)." The letter notes that an auditing firm, Connor Consulting, which is headquartered in San Francisco and has offices around the globe, will perform a review of the company's "VMware deployment and entitlements, which may include fieldwork or remote testing and meetings with members of your accounting, licensing, and management information systems functions." The letter informs its recipient that someone from Connor will reach out and that the VMware user should respond within three business days.
>
> The letter, signed by Aiden Fitzgerald, director of global sales operations at Broadcom, claims that Broadcom will use its time "as efficiently and productively as possible to minimize disruption." Still, the security worker that Ars spoke with is concerned about the implications of the audit and said they "expect a big financial impact" for their employer. They added: "Because we are focusing on saving costs and are on a pretty tight financial budget, this will likely have impact on the salary negotiations or even layoffs of employees. Currently, we have some very stressed IT managers [and] legal department [employees] ..." The employee noted that they are unsure if their employer exceeded its license limits. If the firm did, it could face "big" financial repercussions, the worker noted.
[1] https://yro.slashdot.org/story/25/05/07/1856255/vmware-perpetual-license-holders-receive-cease-and-desist-letters-from-broadcom
[2] https://arstechnica.com/information-technology/2025/06/vmware-perpetual-license-holder-receives-audit-letter-from-broadcom/
Sounds a lot like... (Score:3)
...extortion to me. "You decided not to subscribe to our services? We're going to cause expenses for you, even if you are abiding by the terms of the perpetual license you paid for. You might as well subscribe, and this 'headache' will go away."
Re:Sounds a lot like... (Score:4, Interesting)
...pray that we don't choose to alter the deal further...
Re: (Score:2)
Could hardly have said it better.
What am I missing? (Score:4, Interesting)
What is keeping these customers from simply ignoring VMware and these auditors?
Re: (Score:2)
perhaps a visit from the FBI?
[1]https://www.sfgate.com/news/ar... [sfgate.com]
[1] https://www.sfgate.com/news/article/fbi-sting-seizes-computers-linked-to-software-2856400.php
Re: (Score:2)
In the Netherlands? I doubt it. But no doubt local hired guns would be used.
Re: (Score:2)
Exactly, no company has to let anyone in the door of give them access to their networks. Broadcom can sue for access, but they are going to need some evidence to get very far in court before they can even get the right to go through discovery.
The company could use other tactics too, like requiring a surety bond from the auditor with a very high face value ... say $100M for potential damages and require payment up front for the time of the employees.
Re: (Score:2)
Nothing. Enforcement by the courts has been tested and found to be toothless.
Do they get any new customers? (Score:2)
I get that people who have been using VMWare for a while are kind of screwed, but do new people still voluntarily sign up for this? Seems to me anyone suggesting such a thing these days should raise huge red flags of competence.
they only want the big fish that are some what loc (Score:2)
they only want the big fish that are some what locked into vmware
legal basis? (Score:2)
Does VMWare have a contract clause that permits them to 'audit' a former customer ? Under what country's laws would this be conducted? NL or US?
IANAL, but it's not clear at all to me that a company with whom you no longer have a contract has any legal right to conduct a clearly forensic audit. And of course, as others here have pointed out, this is an action that inflicts financial damage on the former customer to support such an audit. I'm sure the target company's legal counsel is working overtime prep
Re: (Score:2)
We'd have to see whatever license agreement they agreed to when they last installed an update to the software, which could have come with new terms allowing this. If they refuse the submit to the audit, VMWare might be able to remotely kill all the software, since I'm sure it's had some kind of online component to the licensing for years now.
Bill them (Score:2)
They should bill Broadcom for the time and cost because it's not like they ordered the audit.
Open Source (Score:4, Insightful)
Yet another reason to use open source virtualization - the legal cost of proprietary can be unbounded.
Plenty of former Oracle customers use PostgreSQL now for similar reasons.
The Fortune 50 can afford the risk of proprietary but most small businesses can't.
Unless you violate the BusyBox license you shouldn't have any worries.
I wonder if any insurers are covering this yet.