Five Years of Security Updates
The CRA requires manufacturers to provide security updates for the expected product lifetime, with a minimum of 5 years. For software companies used to annual release cycles, this is a fundamental shift.
The Obligation
Product Release v1.0 ββββββββββββββββββββββββββββββββββββββββββ End of Support
β (min 5 years)
βββ Security patches within reasonable time
βββ Free of charge to users
βββ Accompanied by advisory information
βββ Separate from feature updates (when possible)
βββ Available through secure distribution channelPlanning Long-Term Support
Branch Strategy
main βββββββββββββ v3.x (current) βββ active development
βββ release/2.x β v2.x (LTS) βββββ security patches only (until 2029)
βββ release/1.x β v1.x (LTS) βββββ security patches only (until 2028)Automated Backporting
# GitHub Actions: Auto-backport security fixes
name: Security Backport
on:
pull_request:
types: [closed]
branches: [main]
jobs:
backport:
if: contains(github.event.pull_request.labels.*.name, 'security')
strategy:
matrix:
branch: [release/2.x, release/1.x]
steps:
- uses: actions/checkout@v4
with:
ref: ${{ matrix.branch }}
- name: Cherry-pick security fix
run: |
git cherry-pick ${{ github.event.pull_request.merge_commit_sha }}
- name: Create backport PR
uses: peter-evans/create-pull-request@v6
with:
branch: security-backport/${{ matrix.branch }}
title: "[Security Backport] ${{ github.event.pull_request.title }}"Dependency Monitoring for LTS Branches
class LTSMonitor:
async def check_lts_branches(self):
for branch in self.lts_branches:
sbom = await self.get_sbom(branch)
vulns = await self.scan_vulnerabilities(sbom)
critical = [v for v in vulns if v.severity in ("CRITICAL", "HIGH")]
if critical:
await self.create_security_ticket(
branch=branch,
vulnerabilities=critical,
sla="patch within 30 days",
)Cost Considerations
Per product line, annual LTS costs:
- Security engineering time: 0.5-2 FTEs
- Build/test infrastructure: Maintain CI/CD for each supported version
- Dependency management: Track and patch transitive dependencies
- Communication: Security advisories, user notifications
Budget Tip
Factor LTS costs into your product pricing. A 5-year support obligation means each sale carries 5 years of ongoing cost.
End of Life Process
When support ends:
- Announce EOL 12 months in advance
- Provide migration guide to supported versions
- Final security audit before last supported release
- Archive SBOM for regulatory reference
- Clearly mark product as unsupported in all documentation
Key Takeaways
- Design for long-term support β modular architecture makes backporting easier
- Automate backporting β manual cherry-picks donβt scale across versions
- Monitor dependencies continuously β your LTS branches share the same CVE exposure
- Budget for LTS β itβs a 5-year commitment per product release
- Communicate clearly β users must know their support window
Planning your CRA security update strategy? I help organizations build sustainable long-term support processes. Get in touch.