If you’re following https://firmwaresecurity.com and you have any interest in Linux, you should also follow the LVFS (fwupd) blog by Richard Hughes:
https://blogs.gnome.org/hughsie/2018/10/30/1734/
The National Cyber Security Centre (part of GCHQ, the UK version of the NSA) wrote a nice article on using the LVFS to influence procurement decisions. It’s probably also worth noting that the two biggest OEMs making consumer hardware also require all their ODMs to also support firmware updates on the LVFS. More and more mega-corporations also have “supports the LVFS” as a requirement for procurement.
The linked article: https://www.ncsc.gov.uk/blog-post/firmware-updates-linux-and-using-data-influence-procurement-decisions
We believe data such as this can help determine the firmware support lifetimes for a device or whether a device is still receiving regular firmware updates. It can also be used to aid in predicting typical support lifetimes for future devices. These may be important factors when considering whether your device should still be considered ‘in support’.
I assert that proactively purchasing devices that are well supported under LVFS (fwupd) today is a good move. It says a lot about your vendor as noted above. Even if you have no Linux at all in your infrastructure.. that could all change well within the lifespan of your hardware.
Firmware Security 