A coalition of major tech companies including Cisco, Microsoft, Dell, IBM, Oracle, and Red Hat has introduced the draft ‘OpenEoX’ framework. The goal is to standardize how companies announce when their products will stop receiving security patches or any support. The framework was published through the OASIS standards body and addresses issues with current end-of-life (EoL) notices, which are often inconsistent and difficult to track. Without a standardized way to manage these announcements, companies face significant cybersecurity risks from outdated systems, especially those embedded in complex supply chains or critical infrastructure.
The OpenEoX framework proposes a solution by defining a shared, machine-readable format for tracking product lifecycles. This standard would include four key checkpoints: General Availability, End of Sales, End of Security Support, and End of Life. These milestones are meant to be clearly published and easily accessible to users, helping security teams maintain visibility over supported and unsupported systems. The coalition believes that this will streamline tracking and decision-making, reducing the burden on vendors and increasing efficiency for security teams, auditors, and customers alike.
The OpenEoX initiative primarily focuses on software and hardware products, but the authors suggest it could also apply to AI models in the future.
The proposal integrates with existing tools like Software Bill of Materials (SBOMs) and security advisories. It aims to enable automated tracking and risk assessment regarding product lifecycles. This will help organizations avoid running obsolete or vulnerable systems without understanding the associated risks. The draft framework aims to make lifecycle management a collaborative process across vendors, open-source maintainers, and customers.
Although still in its early stages, the OpenEoX initiative is open to public feedback and participation from various industry stakeholders.
The coalition seeks input before it finalizes the framework and submits it as a full OASIS standard. The draft paper outlines the coalition’s vision for a unified approach to managing product lifecycles and addressing the growing cybersecurity concerns associated with outdated systems. It hopes to create a foundation for broader adoption, enhancing overall product security across industries.
Reference:
