Process for Assigning CVE IDs to End-of-Life (EOL) Products

The mission of the CVE Program is to identify, define, and catalog publicly disclosed vulnerabilities, regardless of the status of the software in question. Issuing CVE IDs for software that has reached EOL supports this mission.

As part of issuing a CVE ID, many vendors perform due diligence to validate and remediate disclosed vulnerabilities for supported products. By definition, EOL products are typically no longer supported by vendors. Vendors are under no obligation to validate vulnerability reports in EOL software, which is cost prohibitive in that expertise may not be available, it may disrupt release schedules for supported products, or other legitimate business justifications. However, to be consistent with the CVE Program mission, publicly disclosed vulnerabilities may warrant CVE assignment, even in cases where the product was out-of-scope for CVE assignment by the vendor CNA.

The CVE Program has established a set of “program principles” related to assigning CVE IDs to EOL products that applies to all program participants. The principals guided the development of a policy that balances the legitimate equities of CVE Numbering Authorities (CNAs) and the CVE Program.

CVE Program Principles for EOL Products

Vulnerability Reporters who wish to request a CVE ID for EOL software will be required to provide some means of depicting how the issue was discovered and proof of the vulnerability’s existence to the vendor/CNA and the CVE Program.

The CVE Program does not require, and vendors are under no obligation, to validate, test, or fix vulnerabilities discovered in EOL products. Products entering EOL status is a reality of the software world; and while vendors have different EOL policies, software products eventually are replaced by new products. However, many organizations run EOL products. Therefore, consistent with the CVE Program mission, should valid vulnerabilities be reported to the CVE Program and be publicly disclosed, the CVE Program will assign a CVE ID to serve the needs of those still running EOL products. It is important for those running EOL products to know they are vulnerable, and that no patch will be forthcoming. Issuing CVE IDs for EOL products provides the means for alerting the community to an EOL vulnerability as well as for providing information for how those running EOL software can upgrade to a supported product.

For detailed information about the CVE Program’s transparent EOL policy, visit the CVE Program’s End of Life Vulnerability Assignment Process.

Page Last Updated or Reviewed: December 11, 2020