The following approaches are used to determine the support or unsupported status of software products when assessing the Desktop Software and Mobile Software risk vectors:
End-of-Life
Software without an end-of-life (EOL) policy that becomes unsupported gets an additional grace period of up to 7 days. It is considered to be supported during that time. The previous version reaches its EOL within seven days after the release of the newest version. This is because as the software reaches its EOL, updated versions are made available on different platforms (such as App Stores), and the roll-out may not happen at the same time on all platforms.
Extended Support
Most software vendors provide support only to the latest version of their products. Others provide a support life cycle split into two periods – the first half with “mainstream support” and the second half with “extended support.” After the extended support period, “extended security updates (ESU)” might be offered. Extended support and ESU are considered when determining if the software is supported.
Software with ESU are evaluated in the following manner:
- GOOD: From the date of release to the end date of extended support.
- FAIR: The first and second years of ESU.
- WARN: The third year ESU.
- BAD: The end date of ESU.
Long-Term Support
Some software products also provide long-term support (LTS) releases. These releases ensure stability and compatibility for users who require a reliable and predictable software environment while receiving security updates and bug fixes. All software products that provide these releases are considered in the “mainstream support” period.