# Support & Maintenance Lifecycle

This page sets out how long each release line of Flopsar receives security updates and technical support from Flopsar Technology Sp. z o.o. It is the public document referred to by:

* Article 13(8) of Regulation (EU) 2024/2847 (the Cyber Resilience Act), which requires the manufacturer to determine, communicate, and honor a support period for the product;
* Annex II, points g and h of the same Regulation, which require the manufacturer to inform users of the type of technical security support offered and until when it will be provided.&#x20;

A binding commitment of Flopsar Technology Sp. z o.o. follows from this page: throughout the support period of a given release line, security updates for that line are provided **without undue delay** and **free of charge** to any holder of a valid license, in line with point 8 of Annex I, Part II of the Regulation.

## Definitions

### Releases

Flopsar uses semantic versioning of the form `MAJOR.MINOR.PATCH`:

* **MAJOR** — for example `7.x` — denotes a product line. A new major release may introduce architectural changes, new components, or incompatibilities with previous lines, and is normally accompanied by a new EU Declaration of Conformity (see EU Declaration of Conformity).
* **MINOR** — for example `7.1` — adds functionality within a product line without breaking existing deployments.
* **PATCH** — for example `7.0.3` — contains bug fixes, security updates, and small adjustments only. A "release line" in this document refers to a `MAJOR` line — for example *Flopsar 7*. Lifecycle commitments are made at the line level, not at the patch level.

### Lifecycle stages

Each release line passes through three stages after its initial release. The stage determines which security updates and which software releases are produced for the line; it does not determine the availability of commercial technical support, which is a separate paid service governed by Section 5.

* **Active Maintenance.** The line is the current commercial offering. It receives new minor releases with functionality, bug fixes, and security updates.
* **Security Maintenance.** The line is no longer the current commercial offering, but is still in production use by customers. It receives security updates only, on the terms described in Section 4.
* **End of Life.** The line is no longer supported. Security updates are not produced.

## Support period

The support period of each release line of Flopsar 7 and later is **at least five years from the General Availability date of that line**, in line with the minimum required by Article 13(8) of the Regulation.<br>

Where the Active Maintenance phase ends before the support period ends, the remainder of the support period is served by the Security Maintenance phase. The total of the two phases is therefore at least five years.

## Manufacturer technical security support

The Cyber Resilience Act distinguishes, in Annex II point g, between **technical security support** that is an obligation of the manufacturer and ancillary commercial services. Section 4 covers the manufacturer obligation; Section 5 covers commercial services.&#x20;

The technical security support provided by Flopsar Technology Sp. z o.o. for every release line listed in Section 3 that is in Active Maintenance or Security Maintenance comprises four elements, described in Sections 4.1 to 4.4 below. It is **free of charge** to any holder of a valid licence for the affected line and is **not contingent** on the customer having entered into any separate commercial support agreement.

### Security updates

For every vulnerability in a supported release line that meets the severity threshold for action stated in Section 5 of the Vulnerability Disclosure Policy:

* A security update is produced and tested in line with the manufacturer's secure development process.
* The update is delivered through the same distribution channels as the underlying release — the official Linux package repository, the container registry, and the standalone download page — and is signed with the same signing keys.
* The update is free of charge to any holder of a valid license for the affected line.
* Vulnerabilities in third-party components shipped with the line are included on the same basis as vulnerabilities in code written by Flopsar Technology Sp. z o.o.

### Security advisories

Each fixed vulnerability is documented in a public advisory at Security Advisories, in human-readable form and in machine-readable CSAF 2.0 and CycloneDX VEX formats. The advisory identifies the affected versions, the fixed versions, the CVSS score, and, where available, the CVE identifier.

### Vulnerability reporting

A single point of contact is operated for reporters who wish to notify Flopsar Technology Sp. z o.o. of a vulnerability in the product. The full process is described in the Vulnerability Disclosure Policy. The single point of contact and the policy itself are public, free of charge, and accessible without prior contractual relationship with the manufacturer.

### Documentation

The security documentation under Security and the compliance documentation under Trust & Compliance is maintained for as long as the release line they document is in Active Maintenance or Security Maintenance. Updates to the documentation that affect supported lines are reflected in the `last_updated` date of each page.

### Scope by lifecycle stage

The four elements above apply differently depending on the stage of the release line:

* For a line in **Active Maintenance**, all four elements apply in full. In addition, non-security bug fixes and new functionality are delivered in minor releases.
* For a line in **Security Maintenance**, only patch releases that address security issues are produced. Bug fixes that are not security-relevant are not back-ported. Where a vulnerability affects the line but a fix is only practical to apply through an architectural change made in a later line, the situation is documented in the advisory together with the workaround and the migration path to the supported line, rather than producing a back-port that would not be reliable.
* For a line that has reached **End of Life**, no security updates are produced, including for vulnerabilities of any severity. Customers running such a line accept the corresponding risk and are responsible for their own mitigation. Advisories will continue to mention end-of-life lines where a vulnerability affects them, but will not list a fixed version for those lines.

## Commercial technical support

Beyond the manufacturer obligations in Section 4, **commercial technical support** is offered as a **separate, paid service** that is independent of the licence to use the product. Commercial technical\
support is purchased through a separate technical support agreement.

Commercial technical support is available for release lines in Active Maintenance and Security Maintenance, on terms that may differ between the two stages. It is not available for release lines that have reached End of Life.

## End-of-life notice

For each release line, Flopsar Technology Sp. z o.o. commits to:

* publish the planned **End of Active Maintenance** date no later than the General Availability of the successor line, with at least a **six-month** advance notice;
* publish the planned **End of Security Maintenance** date no later than the End of Active Maintenance, with at least a **twelve-month** advance notice;
* announce material changes to either date in advance, through this page, through the security announcements feed, and through direct communication to customers on record.&#x20;

Dates may be **extended**, but they are not normally shortened. Where shortening becomes unavoidable — for example, because a fundamental flaw in a third-party component cannot be reasonably mitigated — the revised date is announced as far in advance as the circumstances permit and the change is documented on this page.

## Upgrades and migration

Within the same major line, upgrades from one minor or patch version to a later one are supported and documented in Upgrade. No commercial charge applies to such upgrades for the lifetime of the line's license.&#x20;

Upgrades between major lines (for example, from Flopsar 7 to Flopsar 8) are not part of the manufacturer's technical security support obligation, but are made available to existing license holders on terms agreed in the commercial agreement. Migration guides for supported major-to-major paths are published with each new major release.&#x20;

A customer who chooses to remain on a line that has entered Security Maintenance is responsible for evaluating whether the security support remaining for that line is sufficient for the customer's operational horizon, and for planning migration accordingly.

## Frequently asked questions

#### Is technical support included with the license?

No. A license to use the product entitles you to use the software and to receive the manufacturer technical security support listed in Section 4 — security updates, advisories, vulnerability reporting, and the security and compliance documentation — free of charge. Commercial technical support, including direct assistance with troubleshooting and configuration, is a separate, optional service purchased through a technical support agreement (Section 5).

#### Do I have to pay for security updates?

No. Security updates within the support period of a release line are free of charge to any holder of a valid licence for that line, regardless of whether the customer has purchased commercial technical support. This is a commitment under point 8 of Annex I, Part II of the Regulation.

#### Are bug fixes back-ported to older lines?

Within an actively maintained line, yes. To a line that has entered Security Maintenance, only security-relevant fixes are back-ported. To an end-of-life line, no.

#### What happens to my license if a release line reaches End of Life?

The license remains valid for the version you have installed; the software does not stop working. What you lose is the manufacturer technical security support described in Section 4, in particular the distribution of further security updates. If you also held a separate commercial technical support agreement covering the line, that agreement ceases to apply on the End of Life date in accordance with its own terms.

#### When does CE marking start to apply?

The full applicability of Regulation (EU) 2024/2847 begins on 11 December 2027. Releases of Flopsar placed on the market on or after that date carry the CE marking and are accompanied by the declaration referred to in EU Declaration of Conformity.

#### How will I know when a line approaches End of Life?

By any of three channels: this page; the security announcements feed; and direct communication to your contact of record under the commercial agreement.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.flopsar.com/7/support-and-maintenance-lifecycle.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.