From 5aed6880a6bc4e1af2993f0c0eeb4ff139c02428 Mon Sep 17 00:00:00 2001
From: Rae Sharp <resharp20@gmail.com>
Date: Mon, 15 Jun 2026 15:56:03 -0400
Subject: [PATCH 1/2] adds CVE spaces support lifecycle table

Signed-off-by: Rae Sharp <resharp20@gmail.com>
---
 docs/reference/cve-policy.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/reference/cve-policy.md b/docs/reference/cve-policy.md
index d0809299..6f8984da 100644
--- a/docs/reference/cve-policy.md
+++ b/docs/reference/cve-policy.md
@@ -103,6 +103,17 @@ Spaces. CVEs in bundled dependencies are evaluated and patched under the same
 SLAs as first-party CVEs. Upbound publishes a software bill of materials (SBOM)
 for each release to support customer vulnerability tracking.
 
+**Spaces Support Lifecycle**
+
+| Minor Version | Current Minor Release Date | Latest Patch Release | Latest Patch Release Date | End of Support (EOL) Date |
+| ------------- | -------------------------- | -------------------- | ------------------------- | ------------------------- |
+| v1.17         | 2026-05-18                 | v1.17.0              | 2026-05-18                | 2027-05-18                |
+| v1.16         | 2026-03-13                 | v1.16.1              | 2026-05-22                | 2027-03-13                |
+| v1.15         | 2025-11-18                 | v1.15.4              | 2026-05-22                | 2026-11-18                |
+| v1.14         | 2025-09-16                 | v1.14.7              | 2026-05-22                | 2026-09-16                |
+| v1.13         | 2025-06-11                 | v1.13.6              | 2026-03-16                | 2026-06-11                |
+
+
 ## How Upbound triages CVEs
 
 All customer-reported CVEs and defects are triaged by the responsible team's

From 2023ffca030dd34406525b05a35f40c265dc7f09 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?rae=20sharp=20=E2=99=AF?=
 <8883519+tr0njavolta@users.noreply.github.com>
Date: Mon, 15 Jun 2026 16:11:14 -0400
Subject: [PATCH 2/2] Update CVE policy by removing SBOM reference
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Removed mention of software bill of materials (SBOM) in CVE policy.

Signed-off-by: rae sharp ♯ <8883519+tr0njavolta@users.noreply.github.com>
---
 docs/reference/cve-policy.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/docs/reference/cve-policy.md b/docs/reference/cve-policy.md
index 6f8984da..53628568 100644
--- a/docs/reference/cve-policy.md
+++ b/docs/reference/cve-policy.md
@@ -100,8 +100,7 @@ CVEs.
 
 Upbound bundles Kubernetes, UXP, and other infrastructure components within
 Spaces. CVEs in bundled dependencies are evaluated and patched under the same
-SLAs as first-party CVEs. Upbound publishes a software bill of materials (SBOM)
-for each release to support customer vulnerability tracking.
+SLAs as first-party CVEs.
 
 **Spaces Support Lifecycle**