End-of-life vulnerability left too open ended. #108
Description
https://certcc.github.io/CERT-Guide-to-CVD/topics/phases/validation/
The section we have on End-of-Life Software and Scope seems to be a bit unclear guidance for vendors when triaging new vulnerabilities. What happens in the case of supply-chain impact of such vulnerabilities? How will the end-user or other supply-chain partners would know of such information? What propagation failures are possible in supply-chain? This sometimes is more than a supply-chain concerns as well when re-branding, reselling and/or repackaging of software/hardware also creates such a vulnerability left unresolved.
My recommendation is:
We want to direct the vendors to handle vulnerabilities in end-of-life products with the same workflows as currently active products. If they choose to not fix these vulnerabilities, it is still recommended that take a minimal "notification" action. The notification preferably is a publicly accessible page (not behind paywall) that identifies the product and version as end of life and any pertinent information on the upgrade/change hardware path. Notification also uses identifiers such as vendor provided and CVE using the CVE End-of-life information. https://cve.mitre.org/cve/cna/CVE_Program_End_of_Life_EOL_Assignment_Process.html
If in case validation of the end-of-life software/hardware is too expensive or not even possible, then vendors should still confirm that a "notification" of end-of-life exists and point the Finder to such a document. If such a document does not exist, then the vendors' triaging group/PSIRT should fill the gap by creating such a document.