Hi,

Thanks for information. May i know more in case of security advisory reports, Cisco won’t do anything? Like recent report of Log4J or anything else, they are quite critical. 

I just wonder the End of Life will take 2 years after, how are they going to support is if they find related vulnerabilities. 

Thanks. 

---

@theerapongpomp wrote:
Like recent report of Log4J or anything else, they are quite critical. 

---

Log4J is "old news".  Patches and fixed software has already been released.

---

@Joseph W. Doherty wrote:

As an aside, is this situation end-of-the-world?  Possibly not; many variables involved to determine actual threat level (somewhat like assessing zero day exploits) and what's tolerable, or not, to you.

---

Hi all,

Thank you @theerapongpomp for starting the discussion. The additional milestone (EoVSS) on Cisco's product lifecycle is a painful experience for S/I partner fronting Cisco's business towards clients.  

As at 2023-10-02, Cisco's EOL Policy on product lifecycle does not discuss the new EOVSS milestone (see attached screen-grab of milestone table). Now, when complying to clauses regarding lifecycle, we are faced with the prospect of declaring a product's lifespan to be only 3 years from End-of-Sale, instead of 5 years. And it makes the depreciation cost of Cisco's products higher.

I am also reading the EOVSS description as Cisco Engineering releasing planned maintenance release or scheduled software remedy, suggesting that Cisco will still produce hotfixes for vulnerabilities discovered and reported by clients. So, it seems all is not doom-and-gloom, but for clients needing to run 24x7 commercial services, it becomes an Achillies heel.

Can anyone volunteer insights if this EOVSS milestone is norm with Cisco's competitors too?