End-of-Life
Vendors may go out of business or end the support for their outdated product. In this case a component is called end-of-life (EOL) or end-of-service (EOS).
Tagging EOL/EOS
In our database we are able flag vendors, products, versions in general, or products in specific vulnerability entries as EOL/EOS. We then provide different tags for deprecated components to make this status visible:
- We provide the fields
software_support_availabilityandcna_eolwhich indicate whether a product or version does not provide active support anymore. Both fields may be part of an API response of a Vulnerability API request. - On the web site a vulnerability entry may also contain EOL information. For example Microsoft Internet Explorer became end-of-life as it was succeeded by Microsoft Edge. Therefore, all Internet Explorer vulnerability entries show the EOL indicator, for example VDB-174867.
- In our product overview we do also indicate the EOL status of products.
- CVE entries maintained by our CNA team will also be tagged with
unsupported-when-assignedif necessary to comply with CNA Operational Rule 4.2.17.1. For example CVE-2024-8460 (maintained by VulDB) and CVE-2025-3837 (maintained by the vendor). Contrary to other CNAs, which might have limitations regarding EOL/EOS items, this does not impact our processing in any way.
Co-ordinated Disclosure for EOL/EOS Components
Even though the declaration of EOL/EOS indicates that a vendor is not supporting a product anymore, we will still try to inform vendors about emerging vulnerabilities in them as part of our co-ordinated disclosure policy. It is not unusual that even for EOL/EOS products some kind of action is initiated by vendors (e.g. custom advisory, out-of-band patch).
Aktualizacje przez VulDB Documentation Team