A coalition of big tech vendors, including Cisco, Microsoft, Dell, IBM, Oracle, and Red Hat has published a draft ‘OpenEoX’ framework to standardise the way companies announce when products will stop receiving security patches or any other form of support.
The draft standard, released through the OASIS standards body, argues that today’s end-of-life (EoL) notices are scattered, inconsistently worded and hard to track, causing major problems for organizations running obsolete software or hardware without understanding the expanded security risk.
The push comes amid widespread concern that outdated or unsupported systems have quietly compounded cybersecurity risks inside organizations, particularly when those end-of-life systems are embedded in complex software supply chains or industrial infrastructure.
Without a standardized way to track support timelines, security teams often struggle to maintain visibility into which systems still receive critical patches, the coalition noted.
Published by the OpenEoX Technical Committee, a 29-page white paper documents the framework the coalition hopes will become a universal, machine-readable format for notifying users when products are no longer supported and potentially vulnerable.
The OpenEoX model proposes to close those gaps by defining a shared data format that can be integrated into SBOMs (Software Bill of Materials), security advisories, and other ecosystem tools.
It defines four uniform lifecycle checkpoints: General Availability (the first ship date), End of Sales (the last day a product can be purchased), End of Security Support (the last day the vendor issues patches) and End of Life (the final date for any form of vendor support), all published in a machine-readable format.
The goal is to reduce the burden on vendors while enabling customers, regulators, and supply chain auditors to automate tracking and risk decisions tied to product lifecycle status.
Although the initial focus is on software and hardware, the authors note the same fields could be applied to AI models.
“Knowing when software and hardware support ends shouldn’t be a guessing game,” said Omar Santos, co-chair of the OpenEoX group and a software engineer at Cisco.
“Managing product lifecycles effectively requires collaboration across the entire ecosystem, from commercial vendors to open-source maintainers.”
The initiative is still early-stage, but the coalition is positioning the draft format as a blueprint for broader adoption and future technical standards. Participation in the OpenEoX committee is open to industry stakeholders, including vendors, researchers, and government bodies, through the OASIS membership process.
The group is seeking public feedback before turning the proposal into a full OASIS standard.
Related: Mandiant Finds Custom Backdoors on End-of-Life Juniper Routers
Related: Exploitation of Critical Bug in End-of-Life VMware Product Ongoing
Related: vCenter Flaw So Critical, Patches Released for End-of-Life Products
Related: OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until Sep 2023