Calculator Inputs
Use the form below to estimate how urgently a software component should be upgraded, replaced, or isolated.
Formula Used
The calculator converts each factor into a normalized risk value from 0 to 100, then applies a weighted model.
| Factor | Normalization Logic | Weight |
|---|---|---|
| Support window risk | Piecewise scale. Unsupported products score highest. Longer remaining support lowers risk. | 16% |
| Vulnerability pressure | min(100, critical × 25 + high × 10) | 14% |
| Patch adoption lag | (Patch lag days ÷ 180) × 100 | 9% |
| Maintainer activity | 100 − maintainer activity percentage | 9% |
| Dependency surface | (Dependency count ÷ 120) × 100 | 7% |
| Business criticality | ((Criticality − 1) ÷ 4) × 100 | 10% |
| Internet exposure | (Exposure level ÷ 5) × 100 | 8% |
| Migration effort | ((Effort − 1) ÷ 4) × 100 | 8% |
| Compliance impact | ((Impact − 1) ÷ 4) × 100 | 8% |
| Support quality | ((5 − support quality) ÷ 4) × 100 | 5% |
| Release staleness | (Months since stable release ÷ 24) × 100 | 6% |
Overall score formula: Risk Score = Σ (Normalized Factor Risk × Weight) ÷ 100
How to Use This Calculator
- Enter the software component name and current version.
- Estimate remaining support life in months. Use negative months if support already ended.
- Add security information, including open critical and high vulnerabilities.
- Enter patch lag, dependency count, and maintainer activity.
- Choose business criticality, exposure, migration effort, compliance impact, and support quality.
- Click Calculate Risk Score to show the result above the form.
- Review the factor table and chart to identify the strongest risk drivers.
- Download the result as CSV or PDF for governance reviews, architecture meetings, or backlog planning.
Example Data Table
| Component | Months to EOL | Critical Vulns | Dependencies | Exposure | Migration Effort | Example Score | Priority |
|---|---|---|---|---|---|---|---|
| Legacy Authentication Library | 5 | 1 | 36 | 4 | 4 | 67.8 | High |
| Build Runner Agent | 14 | 0 | 18 | 1 | 2 | 29.4 | Moderate |
| Customer API Gateway Module | -2 | 2 | 52 | 5 | 5 | 88.6 | Critical |
| Internal Reporting Package | 22 | 0 | 11 | 0 | 2 | 17.3 | Low |
| Database Connector Plugin | 8 | 1 | 27 | 3 | 3 | 54.9 | High |
Frequently Asked Questions
1) What does the end of life risk score measure?
It measures upgrade urgency for a software component by combining support timeline, security exposure, dependency breadth, maintenance health, compliance pressure, and migration difficulty into one weighted score.
2) Is an already unsupported product always critical?
Not always, but unsupported software usually receives a large score increase. Actual severity still depends on exposure, vulnerabilities, criticality, and how difficult the replacement path will be.
3) Why include maintainer activity in the model?
Weak maintainer activity can signal slower fixes, limited roadmap confidence, and rising support uncertainty. Even before official end of life, neglected projects may become expensive or unsafe to keep.
4) How are vulnerabilities weighted here?
Critical issues have a heavier impact than high issues. The calculator caps vulnerability pressure at 100 so one factor cannot grow without limit and distort every other engineering signal.
5) Can this compare commercial and open source components?
Yes. The support quality and maintainer activity fields help adapt the model to both vendor-backed products and community-maintained packages, as long as your input estimates are realistic.
6) Why does migration effort increase the score?
Hard migrations deserve earlier planning. A component that is difficult to replace becomes riskier as support ends because teams need more time, budget, testing, and rollback preparation.
7) How often should teams recalculate the score?
Recalculate quarterly at minimum. Recompute sooner when a vendor changes support dates, new vulnerabilities appear, patch lag grows, or the component becomes more exposed or business critical.
8) Is this score a full security rating?
No. It is a lifecycle and engineering prioritization model. Use it alongside threat modeling, asset classification, architecture review, and formal vulnerability management processes.