A group of major tech vendors—Cisco, Microsoft, Dell, IBM, Oracle, and Red Hat—has introduced a draft proposal aimed at fixing a long-standing problem in cybersecurity: the lack of a consistent, transparent way to know when software or hardware is no longer supported.

Published through the OASIS standards body, the proposed framework, called OpenEoX, outlines a machine-readable format that could become the new standard for how vendors communicate end-of-life (EoL) and end-of-support (EoS) timelines. Right now, many organizations are flying blind—running outdated systems without knowing they’re no longer receiving critical patches.

The risks here aren’t abstract. In complex enterprise environments, unsupported products can sit unnoticed for years, especially when embedded in industrial systems or software supply chains. That opens the door for threat actors to exploit known vulnerabilities long after vendors have walked away.

The draft framework from the OpenEoX Technical Committee defines four clear lifecycle checkpoints:

• General Availability – when the product was first released
• End of Sales – the last date it could be purchased
• End of Security Support – when the vendor stops issuing patches
• End of Life – when all support officially ends

All of this is designed to be machine-readable, making it easier to plug into tools like SBOMs (Software Bill of Materials), vulnerability databases, and security advisories.

The goal is twofold: reduce the manual burden on vendors, and give customers, regulators, and supply chain auditors automated ways to track product support status and make informed risk decisions.

While the initial draft focuses on software and hardware, the group has also suggested the model could be extended to cover AI models, which are becoming increasingly embedded in enterprise systems.

Right now, the proposal is still early-stage, but the committee is seeking public feedback before moving forward with a formal standardization process. Industry stakeholders—vendors, researchers, regulators—can participate through OASIS membership.

As Omar Santos, co-chair of the OpenEoX group and a software engineer at Cisco, put it: “Knowing when software and hardware support ends shouldn’t be a guessing game.” For anyone managing digital infrastructure, especially at scale, this is a conversation that’s long overdue.