Magento Software lifecycle policy for the latest version was changed compared to earlier ones. It states that quality fixes for a minor release will be provided for 12 months since the next minor software release becomes available for all. Magento 2.3 was released in November 2018, and the next minor release was 2.4, which became available in July 2020.
It means that a year after this release, in July 2021, the term of quality fixes for Magento 2.3 reaches its end.
As for essential security fixes - the policy states that they will be available for at least 18 months after the next minor release became available. However, due to all the influence caused by CoVID-19 on all the industry, the deadline was moved to April 2022.
It is worth keeping your system up-to-date even though Magento doesn’t “shut down” when its lifecycle ends. But since the software support reaches its end, you’ll face negative impacts, especially related to security. For example:
- the unsupported Magento software falls out of PCI compliance, so it becomes only your responsibility to re-certify it. Inability to close vulnerabilities may cause fines or removal of credit card processing ability.
- the longer software is unsupported, the least secure it becomes. Hackers tend to keep an eye on older software versions since it doesn’t receive any security patches. It means that the discovered vulnerability can be applied to all the targets with the same software version.
- and even general business risk - customers and partners tend to trust less the systems with potential vulnerabilities.
A good rule of thumb is not to wait until your system is not supported and update beforehand. And it would be even better to have a clear maintenance plan and follow it.