Skip to content

Document when releases or versions will no longer receive security updates #483

New issue
New issue
Open
Open
Document when releases or versions will no longer receive security updates#483
Labels
security baselinehttps://github.com/ossf/tac/blob/main/process/security_baseline.md
Milestone
Security Baseline Level 3
@taladrane

Description

@taladrane
taladrane
opened on Jan 14, 2026

Address OSPS-DO-05.01 security baseline requirement.

Requirement: When the project has made a release, the project documentation MUST provide a descriptive statement when releases or versions will no longer receive security updates.

Recommendation: In order to communicate the scope and duration of support for security fixes, the project should have a SUPPORT.md or other documentation explaining the project's policy for security updates.

Control applies to: Maturity Level 3

External Framework Mappings
CRA: 1.2c, 2.6
ISO-18974: 4.1.1, 4.3.1
OpenCRE: 673-475, 053-751
PSSCRM: E1.6
SAMM: Operations -Operational Management -System Decommissioning -Legacy Management Lvl1, Operations -Operational Management -System Decommissioning -Legacy Management Lvl2
PCIDSS: 3.1.1, 3.2.1, 4.1.1, 5.1.1, 6.1.1, 6.3.2, 7.1.1, 8.1.1, 11.1.1
UKSSCOP: 3.5, 4.1
800-161: PL-1, PL-2, SI-4, SI-5

Metadata

Metadata

Assignees

No one assigned

    Labels

    security baselinehttps://github.com/ossf/tac/blob/main/process/security_baseline.md

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions