CVE Blog

The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. We encourage you to use Medium, LinkedIn, or Twitter to comment on, share, or like a post. Right-click and copy here to share this article from the CVE website.

Process for Assigning CVE IDs to End-of-Life (EOL) Products

Share or comment Medium Twitter LinkedIn

The mission of the CVE Program is to identify, define, and catalog publicly disclosed vulnerabilities, regardless of the status of the software in question. Issuing CVE IDs for software that has reached EOL supports this mission.

As part of issuing a CVE ID, many vendors perform due diligence to validate and remediate disclosed vulnerabilities for supported products. By definition, EOL products are typically no longer supported by vendors. Vendors are under no obligation to validate vulnerability reports in EOL software, which is cost prohibitive in that expertise may not be available, it may disrupt release schedules for supported products, or other legitimate business justifications. However, to be consistent with the CVE Program mission, publicly disclosed vulnerabilities may warrant CVE assignment, even in cases where the product was out-of-scope for CVE assignment by the vendor CNA.

The CVE Program has established a set of “program principles” related to assigning CVE IDs to EOL products that applies to all program participants. The principals guided the development of a policy that balances the legitimate equities of CVE Numbering Authorities (CNAs) and the CVE Program.

CVE Program Principles for EOL Products

  • CVE IDs may be assigned for vulnerabilities in EOL products.
  • There are no expectations of vendors to either investigate or correct vulnerabilities reported in EOL products.
  • Vendor CNAs have the first “right-of-refusal” in issuing CVE IDs for their products but cannot stop the assignment of a CVE ID if deemed appropriate by the program.
  • If a Vendor CNA does not assign, the CNA of Last Resort (CNA-LR) will work with both parties (Vendor CNA and the Reporter) to determine whether or not to assign a CVE ID to a vulnerability in an EOL product.
  • CVE IDs assigned for EOL products are to be tagged with an Unsupported When Assigned tag. This will enable community stakeholders to rapidly identify CVE records for EOL products.

Vulnerability Reporters who wish to request a CVE ID for EOL software will be required to provide some means of depicting how the issue was discovered and proof of the vulnerability’s existence to the vendor/CNA and the CVE Program.

The CVE Program does not require, and vendors are under no obligation, to validate, test, or fix vulnerabilities discovered in EOL products. Products entering EOL status is a reality of the software world; and while vendors have different EOL policies, software products eventually are replaced by new products. However, many organizations run EOL products. Therefore, consistent with the CVE Program mission, should valid vulnerabilities be reported to the CVE Program and be publicly disclosed, the CVE Program will assign a CVE ID to serve the needs of those still running EOL products. It is important for those running EOL products to know they are vulnerable, and that no patch will be forthcoming. Issuing CVE IDs for EOL products provides the means for alerting the community to an EOL vulnerability as well as for providing information for how those running EOL software can upgrade to a supported product.

For detailed information about the CVE Program’s transparent EOL policy, visit the CVE Program’s End of Life Vulnerability Assignment Process.

Comments or Questions?

If you have any questions about this article, please use the CVE Request Web Form and select “Other” from the dropdown menu to contact the CVE Program. We look forward to hearing from you!

- The CVE Board
  July 31, 2020
  CVE Request Web Form
(select “Other” from dropdown)

Recent Posts

Page Last Updated or Reviewed: October 18, 2020