EOL Risk Score™ — Methodology & How It Works

EOL Risk Score™

A proprietary 0–100 score that quantifies the security risk of running end-of-life software. Every product and version page on endoflife.ai displays an EOL Risk Score™ calculated from four factors at build time.

Example score

90 /100

Critical Risk

Node.js 16 · EOL September 2023

Recency: 40/40 · Attack Surface: 30/30 · CISA KEV: 20/20 · Extended Support: 0/10

Score Bands

76–100

Critical

Past EOL with high attack surface and active exploitation history. Immediate action required.

51–75

High

Recently past EOL or approaching EOL with significant deployment breadth. Plan migration now.

26–50

Medium

Active software with high attack surface, or EOL software with extended support available.

0–25

Low

Actively supported with low attack surface and no known active exploitation.

The Four Factors

40pts max

Factor 1 — EOL Recency

How long ago a version reached end of life — or how soon it will. The longer a product has been past EOL with no patches, the greater the accumulated CVE exposure.

Scoring:
Active, EOL 6+ months away → 0 pts
EOL in 3–6 months → 8 pts
EOL in under 90 days → 15 pts
0–90 days past EOL → 25 pts
3–12 months past EOL → 30 pts
1–2 years past EOL → 35 pts
2+ years past EOL → 40 pts

30pts max

Factor 2 — Attack Surface

The breadth of an EOL product's attack surface based on its category. Operating systems, runtimes, and databases are critical-tier — they underpin virtually everything else. Frameworks and tools are high-tier. Utilities and libraries are medium-tier.

Critical tier (30 pts): OS, runtimes (Node.js, Python, PHP, Java, Ruby, Go), databases (MySQL, PostgreSQL, MongoDB, Redis), TLS/SSH, mobile OS

High tier (20 pts): Web frameworks, container orchestration tools, CMS platforms, CI/CD systems

Medium tier (10 pts): Libraries, utilities, and niche tools

20pts max

Factor 3 — CISA KEV Exposure

Whether the product family appears in the CISA Known Exploited Vulnerabilities catalog — meaning vulnerabilities in this product have been actively exploited in the wild. Products with confirmed active exploitation history represent a higher ongoing risk when running past EOL.

In CISA KEV catalog → 20 pts
Not confirmed in CISA KEV → 0 pts

Source: CISA Known Exploited Vulnerabilities Catalog

10pts max

Factor 4 — Extended Support Availability

Whether a commercial vendor offers continued security patches for this product beyond the official EOL date. The existence of extended support partially mitigates risk — organizations can purchase a patch path. Products with no extended support option carry higher residual risk.

No extended support available → 10 pts
Extended support available → 0 pts

Vendors tracked: HeroDevs (Node.js, Angular, React, Vue, Django, Python), TuxCare (Ubuntu, Debian, CentOS, RHEL, PHP)

Real-World Score Examples

Product	EOL Date	Score	Band	Recency	Surface	KEV	No Support
Node.js 16	Sep 2023	90	Critical	40	30	20	0
PHP 7.4	Dec 2022	90	Critical	40	30	20	0
Node.js 18	Apr 2025	85	Critical	35	30	20	0
Ubuntu 20.04 LTS	Apr 2025	85	Critical	35	30	20	0
Python 3.9	Oct 2025	80	Critical	30	30	20	0
PHP 8.2	Dec 2026	50	Medium	0	30	20	0
Node.js 22 LTS	Apr 2027	50	Medium	0	30	20	0
Go 1.24	Feb 2027	20	Low	0	10	0	10

What the EOL Risk Score™ Is Not

✗ Not a CVE count

The score does not count specific CVEs. It quantifies the structural conditions that make EOL software dangerous — independent of any specific vulnerability.

✗ Not a penetration test

The score does not assess your specific configuration, network exposure, or compensating controls. It is a product-level signal, not an environment-level assessment.

✗ Not a replacement for a scanner

Vulnerability scanners and the EOL Risk Score™ serve different purposes. Scanners identify known CVEs in your environment. The EOL Risk Score™ identifies the structural risk of running software the vendor no longer patches.

✗ Not static

Scores are recalculated at every build using the current date. A product approaching EOL will increase in score as the date nears. Scores reflect the state of the world at build time.

Update Cadence

Scores are recalculated at every site build using the current date. EOL dates sourced from endoflife.date and official vendor documentation. CISA KEV product coverage is reviewed periodically. Attack surface tier assignments are reviewed quarterly.

Licensing

EOL Risk Score™ is a proprietary methodology developed by endoflife.ai. The score and methodology may be referenced with attribution. Commercial use or reproduction of the scoring methodology without permission is not permitted.

Check your stack's EOL Risk Score™

Every product and version page on endoflife.ai displays an EOL Risk Score™. Check yours — free, no account required.

Browse All Products →