The Commonhaus Foundation launched a new collaborative program this week to help enterprises manage open-source software projects as they enter end-of-life (EOL). The Open Source Sustainability Initiative (OSSI) is the Commonhaus Foundation’s latest effort to champion and maintain open-source projects.  

As enterprises consume multiple open source projects into their environment, they have to keep track of new versions as they are released and apply security fixes promptly. This maintenance challenge becomes even more difficult with software EOL, especially when there are vulnerabilities that were not patched before EOL, or new vulnerabilities that were found later. 

The number of reported CVEs [Common Vulnerabilities and Exposures] is skyrocketing, while help is diminishing. The decision by the National Institute of Standards and Technology to change how it handles CVEs earlier this year was a big hit to the open source software ecosystem.

Related:SBOMs in 2026: Some Love, Some Hate, Much Ambivalence

OSSI is necessary because EOL software doesn’t stop running just because its maintainers have moved on, explains Erin Schnabel, chair of the Commonhaus Foundation. “We kept seeing the same patterns across our projects: companies running EOL software they couldn’t yet upgrade, and CVEs still coming in against it,” Schnabel tells Dark Reading.

The initiative’s goal is to improve “lifecycle transparency and collaboration between maintainers, foundations, ecosystem partners, and the broader open source community”, according to the press release. That means answering a seemingly simple, yet complex question: What do these organizations need? That may be CVE remediation, help migrating to updated releases, staying compliant with ever-evolving regulations, or, more likely, all of the above.

All Roads Lead to EOL

Components per application have increased 30% year-over-year, according to Black Duck’s 2026 Open Source Security and Risk Analysis Report. “Open-source is now effectively universal in commercial software,” and “the mean number of open-source vulnerabilities per codebase has more than doubled,” Black Duck added.

Enterprises are spending so much time modernizing and keeping up to date with open source software lifecycle management that it’s getting in the way of work, explains Rob Nalen, COO of HeroDevs, a founding member. HeroDevs helps provide companies with vetted options for staying secure without expecting project volunteers to support releases forever. The amount of work being put on open source software communities is “frankly insurmountable,” Nalen adds. 

Related:Robinhood Cuts Access Approval Time to Support High-Velocity Development

Nalen attributes some of the pressure on open source developers to the fact that artificial intelligence (AI) is being used to write code and find vulnerabilities. AI is finding vulnerabilities faster than teams can fix them. “There’s a race between AI being used to find and exploit CVEs, and communities and enterprises trying to keep up” as they try to determine whether the flaws have already been identified and how to patch them, Nalen says.

And once a project enters EOL, the maintainers stop providing updates, even as new vulnerabilities arise. This is one area where AI may be useful in modernizing the application. While it’s a great accelerator, says Nalen, it is not a replacement when it comes to modernization. 

AI can do repetitive work like rewriting deprecated code, and applying known patters, however trouble starts at the framework level, he adds. For example, it doesn’t look at downstream dependencies during development and can hallucinate.

“Bear in mind that AI can update the code in seconds, but what it struggles with is rewriting the hundreds of third-party libraries underneath, especially those that haven’t made the same version bump, without breaking anything,” he says.

‘Red Flags Are Not Okay Anymore’

Addressing EOL issues helps enterprises reduce security incidents by limiting at least some attack vectors. It also supports their compliance with the U.S.’s PCI DSS or the European Union’s Digital Operational Resilience Act (DORA) – industry standards and regulatory requirements designed to ensure everyone’s infrastructure is safe. PCI DSS 4.0 requirement 12.3.4 states organizations must review software (as well as hardware) annually to ensure the technologies did not reach EOL. If they are using legacy software they must develop a remediation plan.  

Related:Apple’s MacOS Gap Lets Users Disable Security Tools

Nolan observes that many engineers are okay with “red flags” in software development, which could include leaving flaws unpatched, if the applications still work correctly. But with cyberattacks and data breaches increasing, that tolerance for shipping unpatched code is disappearing. “Security leaders [are] now coming in saying that red flag isn’t going to work anymore,” Nolan says. 





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *