OASIS Launches Initiative to Standardize Machine-Readable End-of-Life Information Exchange for Software and Hardware
December 2023 by Marc Jacob
OASIS Open, the international standards and open source consortium, announced the launch of OpenEoX, a global initiative to standardize the exchange of End-of-Life (EOL) and End-of-Support (EOS) information within the software and hardware industries. OpenEoX will provide a unified and efficient method to programmatically verify the EOL or EOS status of the products that businesses and individuals rely on.
A standardized approach to EOL and EOS information will empower open source maintainers and vendors alike to deliver more accurate and reliable support to their users. OpenEoX can help reduce cybersecurity risk and susceptibility to vulnerabilities, enabling companies to quickly identify unsupported products. While frameworks like software bill of materials (SBOMs), the Common Security Advisory Framework (CSAF), and Vulnerability Exchange (VEX) have made significant strides in improving information sharing and product lifecycle management, OpenEoX represents a critical step forward in unifying these efforts.
"It’s crucial for people to stay informed on the lifecycle status of the products and open-source software they rely on. OpenEoX addresses this challenge by providing a common framework that simplifies the process of managing and sharing End-of-Life and End-of-Support information across the industry," said Omar Santos, co-chair of OpenEoX and Distinguished Engineer, Security & Trust, AI Security Research and Operations at Cisco Systems. "When I started the original work in OpenEoX, I recognized that for it to truly transform the industry, it needed to be advanced in OASIS Open."
"OpenEoX will help redefine the landscape of vulnerability management by streamlining the oversight of product lifecycles. This empowers organizations to proactively address security issues through efficient patching and product upgrades," said Justin Murphy, OpenEoX co-chair and Vulnerability Disclosure Analyst at the U.S. Cybersecurity and Infrastructure Security Agency (CISA). "The machine-readable OpenEoX standard will pave the way for automation and integration with tools such as vulnerability scanners and SIEM systems. It will be able to offer a comprehensive overview of an organization’s security posture, contributing to more informed decision-making and enhanced risk mitigation. We look forward to continuing to work with OASIS Open and the broader vulnerability management community to build a path toward more efficient, automated and prioritized vulnerability management."
Participation in OpenEoX is open to all through OASIS membership. OpenEoX invites software and hardware vendors; open source maintainers; technology consultants; business stakeholders reliant on technology products; international, federal, and local government organizations; and others to become part of this collective effort. For more information on OpenEoX, please visit https://openeox.org/.
Support for OpenEoX
"Huawei is proud to join the OpenEoX project and support the establishment of standardized software and hardware end-of-life and end-of-support programs. We understand the impact of rapid tech development on the industry and are committed to working with stakeholders to explore a standardized approach to EOL and EOS programs. This will streamline processes, reduce confusion, and ensure a smooth transition for consumers. We look forward to contributing to the health and sustainability of the entire hardware and software ecosystem!"
– Martin Xie, Director of Huawei Cybersecurity Transparency Center
"Standardizing how the industry performs End of Life/End of Support for developed software/services and their related direct and transitive dependencies is critical to the evolution of end-to-end software supply chain security. Microsoft is proud to contribute to this work, which achieves even more transparency in better-made software while further building trust with more informed consumers."
– Brendan Burns, CVP, Azure OSS Cloud Native
"Qualys has been helping enterprises assess their first-party & open-source software risks through our Enterprise TruRisk Platform and are pleased to partner with OpenEoX to build an open standard to do this at scale. Identifying End-of-Life (EOL) and End-of-Service (EOS) applications in hybrid environments is now a concern at the CIO level, not just for CISOs. The capability to measure, communicate, and, more importantly, eliminate risks stemming from such tech debt demands a collaborative effort involving cybersecurity vendors, software vendors, and IT departments within organizations. We’re pleased to collaborate with OpenEOX to facilitate this process."
– Pinkesh Shah, CPO, Qualys
"As an open source solutions provider with a broad product portfolio, consistently communicating lifecycle information to our customers and partners can pose a challenge. With OpenEoX, Red Hat will be able to streamline that process, providing users with a more accurate and reliable view over the lifecycle of their technologies. This information, integrated with other components of the vulnerability assessment process, will complement data like VEX and SBOMs and help our users address and remediate potential security issues more quickly and efficiently."
– Pete Allor, Sr. Director, Red Hat Product Security
"In today’s dynamic world of cybersecurity threats, identifying the end stages of software and hardware—End-of-Life (EOL) and End-of-Support (EOS)—is critical. While tools like SBOMs, CSAF and OHDF have advanced the field, there is a vital need to address the lack of knowledge when products are no longer supported and the vulnerabilities they introduce. OpenEoX will help us solve this gap with a streamlined process for lifecycle management, minimizing risks from outdated technology. Sophos is excited work with the OpenEoX community to create a flexible framework that seamlessly melds with current standards and tools, streamlining the addition of EOL / EOS into the product lifecycle."
– Mike Fraser, VP of Product Management of DevSecOps and Automation, Sophos