Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
Businesses Software

VMware Perpetual License Holder Receives Audit Letter From Broadcom (arstechnica.com) 80

Posted by BeauHD from the latest-developments dept.
An anonymous reader quotes a report from Ars Technica: After sending cease-and-desist letters to VMware users whose support contracts had expired and who subsequently declined to subscribe to one of Broadcom's VMware bundles, Broadcom has started the process of conducting audits on former VMware customers. [...] Ars Technica reviewed a letter that a software provider and VMware user in the Netherlands received that is dated June 20 and informs the firm that it "has been selected for a formal audit of its use of VMware software and support services" [PDF]. The security professional who provided Ars with the letter asked to keep their name and their employers' name anonymous out of privacy concerns.

The anonymous employee told Ars that their company had been a VMware customer for "about" a decade before deciding not to sign up for a new contract with Broadcom's VMware a year ago. The company had been using VMware Cloud Foundation and vSphere. "Our CEO decided to not extend the support contract because of the costs," the employee said. "This already impacts us security-wise because we can no longer get updates (unless the CVSS score is critical)." The letter notes that an auditing firm, Connor Consulting, which is headquartered in San Francisco and has offices around the globe, will perform a review of the company's "VMware deployment and entitlements, which may include fieldwork or remote testing and meetings with members of your accounting, licensing, and management information systems functions." The letter informs its recipient that someone from Connor will reach out and that the VMware user should respond within three business days.

The letter, signed by Aiden Fitzgerald, director of global sales operations at Broadcom, claims that Broadcom will use its time "as efficiently and productively as possible to minimize disruption." Still, the security worker that Ars spoke with is concerned about the implications of the audit and said they "expect a big financial impact" for their employer. They added: "Because we are focusing on saving costs and are on a pretty tight financial budget, this will likely have impact on the salary negotiations or even layoffs of employees. Currently, we have some very stressed IT managers [and] legal department [employees] ..." The employee noted that they are unsure if their employer exceeded its license limits. If the firm did, it could face "big" financial repercussions, the worker noted.

VMware Perpetual License Holder Receives Audit Letter From Broadcom More | Reply

VMware Perpetual License Holder Receives Audit Letter From Broadcom

Comments Filter:

  • Open Source (Score:5, Insightful)

    by bill_mcgonigle ( 4333 ) * on Thursday June 26, 2025 @04:44PM (#65478630) Homepage Journal

    Yet another reason to use open source virtualization - the legal cost of proprietary can be unbounded.

    Plenty of former Oracle customers use PostgreSQL now for similar reasons.

    The Fortune 50 can afford the risk of proprietary but most small businesses can't.

    Unless you violate the BusyBox license you shouldn't have any worries.

    I wonder if any insurers are covering this yet.

    • We are migrating from Micro$oft SQL Server to PostgreSQL and seeing better performance and faster backup/restore times and much, much more.

  • Sounds a lot like... (Score:5, Insightful)

    by flippy ( 62353 ) on Thursday June 26, 2025 @04:50PM (#65478632) Homepage
    ...extortion to me. "You decided not to subscribe to our services? We're going to cause expenses for you, even if you are abiding by the terms of the perpetual license you paid for. You might as well subscribe, and this 'headache' will go away."

    • Re:Sounds a lot like... (Score:5, Funny)

      by Afell001 ( 961697 ) on Thursday June 26, 2025 @04:54PM (#65478644)
      ...pray that we don't choose to alter the deal further...

    • Re:Sounds a lot like... (Score:4, Insightful)

      by markdavis ( 642305 ) on Thursday June 26, 2025 @06:27PM (#65478796)

      >"...extortion to me. "You decided not to subscribe to our services? We're going to cause expenses for you, even if you are abiding by the terms of the perpetual license you paid for. You might as well subscribe, and this 'headache' will go away."

      Pretty much. But that is in the license they agreed to when they use it. They have a choice:

      1) Stick to what they have now and suffer the endless audits and fines/law suits. And never update. And deal with security and later compatibility issues.
      2) Give in and pay through the nose for rent-ware with Broadcom.
      3) Jump to some other cheaper/more sane proprietary platform and hope they don't do the same or disappear.
      4) Move to an open source platform like XCP-NG/Xen Orchestra or Proxmox or whatever, assuming it meets the needs.

      Choose wisely! I would recommend #4. End the problem now and forever. That doesn't mean it won't cost time/energy/stress to convert, but it might be the best investment ever. And #4 can also include commercially-supported options of that FOSS system if that becomes an issue or is necessary (at a small fraction of the cost of Broadcom options).

    • This is where the companies lawyers should respond that if they want to perform an audit, and they are found to either a) be in compliance to the original terms of the license or b) to not be using the product anymore. All expenses incurred by the company being audited will be billed to Broadcom.

    • Do they even get to dictate who is audited, sounds like you can drain/DoS a companies resources.

  • What am I missing? (Score:5, Interesting)

    by DaFallus ( 805248 ) on Thursday June 26, 2025 @05:00PM (#65478660)
    What is keeping these customers from simply ignoring VMware and these auditors?

    • Re: (Score:2)

      by haruchai ( 17472 )

      perhaps a visit from the FBI?
      https://www.sfgate.com/news/ar... [sfgate.com]

    • Exactly, no company has to let anyone in the door of give them access to their networks. Broadcom can sue for access, but they are going to need some evidence to get very far in court before they can even get the right to go through discovery.

      The company could use other tactics too, like requiring a surety bond from the auditor with a very high face value ... say $100M for potential damages and require payment up front for the time of the employees.

      • The problem is proprietary software licenses often have clauses giving the vendor the right to audit. In order to get rid of that right you have to get rid of the software and then renounce the license.

        • Are those clauses still valid when the software and support for it are no longer available? Can Microsoft audit me over a copy of Office 97 I bought 28 years ago?
          • Support for perpetual enterprise licenses typically comes as a renewable subscription on top of the one-time perpetual fee. Stop renewing support means you're locked in to the last version that you could legally use while ypur support contract was valid. Any version beyond that, and you'd be in breach of T&C. I'm guessing that Broadcom received some download requests for versions beyond the last legally entitled version from an IP address in use by this customer (or authenticating to the support porta

    • Nothing. Enforcement by the courts has been tested and found to be toothless.

    • They're still using VMWare, they just didn't pay for a new support license. The perpetual license they previously bought probably allows VMWare to audit compliance with it. So their choices may be, quickly re-engineer VMWare out of their systems, or bend over.
      • I would hope that removing all consideration for one party by no longer supporting the product the agreement is based on would invalidate said agreement. The balls someone has to have to wash their hands of a product by no longer offering it or supporting it and then trying to audit people are still using it.
        • Yep it sounds like they've gotten right up there with Oracle

        • Re: (Score:2)

          by flink ( 18449 )

          The consideration is that you get to use the software. It "licensed, not sold". If you want to keep using the software, you comply with the license, which probably means an audit clause. If the agreement is void, then you have no right to use the software anymore and are in copyright violation. It's not a good deal, but that's enterprise proprietary software for you.

    • License Agreement Clauses (Score:5, Informative)

      by nuckfuts ( 690967 ) on Thursday June 26, 2025 @06:05PM (#65478762)
      The basis for this type of audit request is typically that the right to perform audits was buried somewhere in the software licensing agreement that the customer "agreed to". I know this is the case with Microsoft and other vendors. I've personally assisted with such audits. They are time-consuming, intrusive, and cast a pretty wide net. The audits are also usually done by a contracted 3rd-party, similar to how debt collection is contracted out. The last time I received notification for an audit, I simply ignored it. After a few attempts they stopped contacting. I suspect they're interested in low-hanging fruit, not getting into expensive legal actions.
      • Does such an agreement continue to exist once the vendor stops supporting the product? Seems pretty one-sided to no longer provide any support yet still have the right to perform audits. I would hope that such an agreement would be invalidated if it was ever brought to court.

        • Does such an agreement continue to exist once the vendor stops supporting the product? Seems pretty one-sided to no longer provide any support yet still have the right to perform audits. I would hope that such an agreement would be invalidated if it was ever brought to court.

          I think they'd argue that the audit is a condition of the license to use the software, which the customer already agreed to and which was not tied to an ongoing support contract. Depending on the details of the license agreement, this could pass legal muster.

          It still seems like a stupid move on the part of Broadcom, alienating their customer base in the hope of extracting a few more fees. I wonder if they've decided that their virtualization business is soon going to be eaten up by OSS anyway, so they h

      • The basis for this type of audit request is typically that the right to perform audits was buried somewhere in the software licensing agreement that the customer "agreed to". I know this is the case with Microsoft and other vendors. I've personally assisted with such audits. They are time-consuming, intrusive, and cast a pretty wide net. The audits are also usually done by a contracted 3rd-party, similar to how debt collection is contracted out. The last time I received notification for an audit, I simply ignored it. After a few attempts they stopped contacting. I suspect they're interested in low-hanging fruit, not getting into expensive legal actions.

        Even if there is a requirement to allow audits, is there a requirement about how those audits are supported? For example, could I simply assign an intern to meet with the auditor? Or can the auditor require the CEO to sit in on 8-hour meetings?

        • In my case there was no in-person visits. They provide a list of steps you be followed. I donâ(TM)t think they care who does it.

        • High risk parts of businesses such as a manufacturer who also transports their own product will

          1. Have a parent company
          2. Form an offshore company for the risky part of the business, such as the trucking part of the business
          3. The risky part of the business leases all its equipment from another company

          If the risky part gets into legal trouble, they essentially have no assets to go after since they have minimal working capital and own nothing.

          A legal action against the parent company or another part of the b

      • The basis for this type of audit request is typically that the right to perform audits was buried somewhere in the software licensing agreement that the customer "agreed to".

        Since it is not possible to buy the software without also agreeing to the license, it is not REALLY an agreement. Any sane judge would strike it down as not being a "meeting of the minds".

        It is outrageous that such clauses even exist. It is a step too far.

      • Can't they invoice Broadcom for the time spent on this audit (if nothing is found)?

    • I think they dont need to co-operate fully. Malicious compliance.

    • You agree to an audit, as part of the license agreement.

    • Contracts. The right to audit is written in many corporate contracts, so you would get sued, and likely lose. You can ignore Broadcom, but you can't ignore your country's courts for too long before you're no longer allowed to operate (or the financial strain becomes worse than the audit itself).

  • Do they get any new customers? (Score:3)

    by Kernel Kurtz ( 182424 ) on Thursday June 26, 2025 @05:03PM (#65478666)
    I get that people who have been using VMWare for a while are kind of screwed, but do new people still voluntarily sign up for this? Seems to me anyone suggesting such a thing these days should raise huge red flags of competence.

  • legal basis? (Score:4, Interesting)

    by david.emery ( 127135 ) on Thursday June 26, 2025 @05:03PM (#65478668)

    Does VMWare have a contract clause that permits them to 'audit' a former customer? Under what country's laws would this be conducted? NL or US?
    IANAL, but it's not clear at all to me that a company with whom you no longer have a contract has any legal right to conduct a clearly forensic audit. And of course, as others here have pointed out, this is an action that inflicts financial damage on the former customer to support such an audit. I'm sure the target company's legal counsel is working overtime preparing a response to this.

    • We'd have to see whatever license agreement they agreed to when they last installed an update to the software, which could have come with new terms allowing this. If they refuse the submit to the audit, VMWare might be able to remotely kill all the software, since I'm sure it's had some kind of online component to the licensing for years now.

      • So you understand the situation to be the target company is using VMWare products it has under an existing perpetual license agreement, but that refused to change the terms of that agreement or to sign any new agreements? I could see that as a legal foundation for the audits to "ensure only the existing licensed products are being used." (But I'd sure ask, "Where was corporate legal when that contract was first signed?" Agreeing to an unconstrained right for some outside company to enter your company and

      • The thing about those "license agreements" is that they're generally unenforceable for many reasons, a major one being contract law (in the UK, at least). To be legal, a contract has to be "fair" (a tricky legal term, a bit like "the man on the street") as well as other steps such as both parties must have had the opportunity to contribute to the agreement, with negotiated terms that must be made on an equal footing. A typical "license agreement" that is *forced* on you by making you click "yes" on receivin

    • Does VMWare have a contract clause that permits them to 'audit' a former customer? Under what country's laws would this be conducted? NL or US?

      The fact that the company continues to use VMware - legally although they can no longer update it - sort of means that they aren't really a former customer. If they stopped using it completely when they decided not to pay Broadcom's subscription fee, I'd agree that they are a former customer. So that probably gives Broadcom the right to audit them. In my career at various jobs we sometimes had to go through this kind of audit as some companies were super paranoid that their customers might be using mo

    • Does VMWare have a contract clause that permits them to 'audit' a former customer?

      If they're still using VMWare's licensed software, are they a former customer? I think the answer depends on the details of the license and purchase agreements.

  • They should bill Broadcom for the time and cost because it's not like they ordered the audit.

    • Re: (Score:2)

      by Kokuyo ( 549451 )

      You mean like I get to contest border fees since I didn't ask for them to inspect my packes?

  • Important safety tip (Score:5, Funny)

    by sjames ( 1099 ) on Thursday June 26, 2025 @06:26PM (#65478792) Homepage Journal

    Never invite a vampire into your home.

  • from TFA -

    "This year, Broadcom started sending such VMware users cease-and-desist letters, telling organizations to stop using any maintenance releases/updates, minor releases, major releases/upgrades extensions, enhancements, patches, bug fixes, or security patches (except for zero-day security patches) that VMware issued since the user’s support contract ended."

    So if you kept your perpetual license and didn't buy a new support contract, they're making sure you haven't done unauthorized patches since

    • I predict that [company] computers were downloading patches and updates from Broadcom's computers, using login credentials of [company].

  • Remember SCO? (Score:4, Interesting)

    by sk999 ( 846068 ) on Thursday June 26, 2025 @06:50PM (#65478826)

    Back in 2003, SCO sent letters to all its System V Unix source code licensees demanding certification in writing that they were in compliance. When Daimler Chrysler failed to respond (due to SCO having an out-of-date mailing address in the intervening 16 years) SCO filed a lawsuit. How did that turn out?

    Broadcom might find it informative to check out case 07-11337 in Delaware bankruptcy court. Still pending after 18 years.

    • How did that turn out?

      The parties agreed to dismiss and it never went to trial.

      Are you confusing that with the SCO-Linux lawsuits?

  • Just say "No" and ignore them. Do not feed the trolls.

    They will eventually go away and bother someone else or they could come to NL and go to court and explain their a**hattery.

  • Suck a bag of dicks and be known as the next SCO.

  • no shit (Score:1)

    by Anonymous Coward

    This stuff used to happen all the time in the 1990s with Microsoft and other software vendors, because back then their software was crazy expensive (like, $500 for a word processor along and that was when money was worth something) and it was all manually installed without any kind of copy protection -- it was super common for companies to have not quite enough licenses. Software vendors would offer bounties to employees who ratted out their employers too.

    You can still run into this with Oracle. And of cour

  • Can a license force you to let other companies audit you?

  • Since literally nobody seems to have posted the specific section of the EULA from VMWare.

    14.6. Replace Section 4 (“Records and Audit”) with the following:
    “You must maintain accurate records of your use of the Software sufficient to show compliance with the terms of this EULA. We have the right to audit those records and your use of the Software, at our own expense, to confirm compliance with the terms of this EULA. That audit is subject to reasonable prior notice and will not unreason
  • Regardless of what you think of VMware/Broadcom and the plentora of alternatives, doesn't the article suggest that the user is using VMware beyond their bought licenses (read: more cpu's etc.)? If so, how is this different than the typical Business Software Aliance visit when there is suspision of wrongdoing?

    • Re: (Score:2)

      by flippy ( 62353 )

      A single anonymous employee who "noted that they are unsure if their employer exceeded its license limits" is not a suggestion of non-compliance, especially when the employee is described as a "security professional," not a sysadmin, and therefore unlikely to have license compliance as part of their job function.

      A single answer of "I don't know" from an employee who isn't responsible for knowing is not *reasonable* suspicion of wrongdoing.

  • We took the Broadcom news as the last straw to cut over to something open. We went ProxMox and 6 hosts in, it's the best hypervisor we've ever used.

Slashdot Top Deals

"Why can't we ever attempt to solve a problem in this country without having a 'War' on it?" -- Rich Thomson, talk.politics.misc

Close