Tech Companies Offer a Standard for Security Disclosures at the End of Life

A group of major tech companies, including Cisco, Microsoft, Dell, IBM, Oracle, and Red Hat, have come together to create a draft framework called 'OpenEoX.' This framework tries to standardize how companies announce the end of support and security updates for their products.

  Privacy & Data Protection   May 1, 2025  Add to Reading List
Tech Companies Offer a Standard for Security Disclosures at the End of Life

A group of major tech companies, including Cisco, Microsoft, Dell, IBM, Oracle, and Red Hat, have come together to create a draft framework called 'OpenEoX.' This framework tries to standardize how companies announce the end of support and security updates for their products.

Currently, these end-of-life (EoL) notifications are scattered and use different words. This makes it difficult for businesses using outdated software or hardware to understand the security risks they face.

There is a growing concern about old, unsupported systems increasing cybersecurity threats, especially when such systems are part of intricate supply chains or industrial infrastructures.

Without a standard tracking method, security teams struggle to know which systems still get crucial updates.

A detailed 29-page white paper from the OpenEoX Technical Committee outlines this framework's vision. It suggests creating a universal, machine-readable format that informs users when products lose support and may become vulnerable.

The OpenEoX model aims to provide a shared data format that integrates with Software Bill of Materials (SBOMs), security alerts, and other tools.

It sets out four key lifecycle stages: General Availability (when a product is launched), End of Sales (last date for purchasing), End of Security Support (final date for security updates), and End of Life (last day for any product support), all in a machine-readable format.

The purpose is to ease the burden on vendors while helping customers, regulators, and auditors automate tracking and risk management tied to product lifecycles.

Though the initial focus is on software and hardware, these guidelines could also apply to AI models.

Omar Santos, co-chair of the OpenEoX group and a software engineer at Cisco, emphasizes that knowing when product support ends should be straightforward.

Effectively managing product lifecycles requires collaboration among all parties, including commercial vendors and open-source project managers.

This initiative is still in early stages, but the group wants the draft to serve as a blueprint for wider adoption and future standards. Anyone in the industry, including vendors, researchers, and government bodies, can join the OpenEoX committee through OASIS membership.

The group is inviting public comments before finalizing the proposal into a full OASIS standard.