So I wanted to report the bug to Veeam. I first tried to look on the Veeam web site if Veeam have some kind of "security task force" - Nothing found. So I made a support case with detailed info on the bug. I got met by a Level 1 supporter who did not understand the problem and scope of the problem. After asking for it to be escalated, it finally got to the state "R&D says its a known bug and will be fixed in v9".
(Case 01060568)
The bug affects all customers. (possible only when using VMWare, havent testet with HyperV). I dont want to go into details here in public, as the bug is still not fixed. The bug is not "heartbleed-critical" but could help hackers getting access to (non-veeam) systems alot easier. The bug have a simple "workaround" fix, if you know it exists. If you dont know it exists, it will expose security information about systems it backs up. Right now I fear very few people knows about it.
I was expecting more from Veeam than a personal "Known bug, fixed in a future release". I am (was) expecting to be informed about security related bugs. I trust all my data to Veeam software. How else can I trust Veeam with my very sensitive data if Veeam dont help me secure Veeam installations?
Am I missing something here? Is there a hidden mailing list that sends out information about security related issues in Veeam products? If not, consider this a "feature request"

Thanks for reading,
Anders