That’s essentially how responsible disclosure works.
Dear Kees,
Thank you for your patience. I have heard back from the technical department with some information.
The Snapdragon 801 chipset used in the Fairphone 2 runs some proprietary closed-source code that only Qualcomm can maintain. Qualcomm no longer provides support for the Snapdragon 801 so we cannot provide updates that require altering these closed-source components. We patch the security issues that we can, and we only release a software version if it passes Google’s security checks.
I hope that this answers your question, if you have any other concerns, please do not hesitate to contact us again.
I wish you a nice day!
On which I replied:
Thanks for getting back to me. So to clarify, these closed source updates would not be included by Fairphone once Qualcomm pulls out?
Because that would mean that “CVE-2021-30351 (CVSS score: 9.8, Qualcomm) - An out-of-bound memory access due to improper validation of number of frames being passed during music playback” would not be fixed.
Which has a very high CVSS score and is part of this remote spying possibility.
Fairphone support replied with:
Hi Kees,
Thank you for your reply.
I have asked the technical department and you are correct. Unfortunately, without extended support from Qualcomm, we’re unable to provide fixes to errors in their code.
For other models than the Fairphone 2, we are in talks with Qualcomm to hopefully guarantee longer support. But at this moment in time, we can not promise anything.
I hope this answers your question. If you have any other concerns, please do not hesitate to contact us again.
Some more generic information regarding the long-term software support:
This is prove for what I am preaching for years: There is no sustainable hardware unless it is running free and open source hardware. Other institutions have recently started to recognize this. Only fixing high-risks CVEs for users of specific devices for policy reasons only (from Qualcom’s perspective) is nothing but planned obsolescence; an anti-freature for the FP2. Mine is working just fine, I just recently upgraded the camera and consider getting a new battery soon as well. But knowing that continued use of my phone comes at the cost of bein an easy target for hackers definitely has a bitter taste and makes me question if I would get a Fairphone again. For me the ‘premium’ price on the initial purpose is only worth it if I can actually use the device for a long time. For comparison: I am writing this from my T420 that is approaching 11 years of daily use. Even including upgrades and repairs, I have invested < 200 EUR / year in my notebook and every day this number is going down further. If I had bought a 500 EUR device every 2 - 3 years, I would have not saved any money compared to that initially very expensive device. I’d love to be able to do the same with my phone. I wish enough people would care about fair software so something like a Librem5 produced like a Fairphone could be made and sold in a way that sustains the company behind it.
Please Fairphone, keep this in mind and make sourcing hardware components with FOSS firmware a priority (I know it probably won’t work for all parts but if you can choose, choose wisely) for the models to come.
Your laptop also requires firmware upgrades, those stop after a few years as well. Granted, they are for low level components and usually don’t open up an attack surface that can be remotely exploited. Not in all cases though, Intel has remote management stuff which can be remotely controlled. Luckily you can disable that. And then of course there are the Spectre issues and alike. But it’s not as big of an issue as with phones.
I am aware. At least I don’t use any binary blobs in the Linux kernel and above (which means no WiFi in that case). Everything required to boot into Grub as well all the software running on internal controller chips etc. is out of my control as well. I am not aware of any know RCE or surveillance bug for any of the components though. Especially one that has a fix available for newer devices but not mine. Also, it is much less likely anyone gets physical access to my T420 than my FP2. But that was not my point. My point is that I am considering to buy a new phone only because there is no security support for software which goes against my reasons to purchase a FP to begin with.
PS: Regarding firmware updates: The last one was released just under four years ago, which was seven years after release. And this is from a company that does not advertise with sustainability.
We had vulnerabilities in common WLAN and BT chipsets e.g. Broadpwn. Sometimes these can be mitigated at a kernel level. I believe most if not all of Meltdown and Spectre vulnerabilities can be mitigated from Linux kernel, at a price however. A price of performance. Devices already at peak performance might suffer.
Recently I briefly investigated getting AMD’s newest (just released) processor for my computer.
It turns out that with a firmware update that was released last February from the motherboard manufacturer, this new top end processor is fully backwards compatible with my old motherboard.
Did I mention the age of this motherboard? It was released in August of 2018, it is nearly 4 years old, and it is still getting upgrades that make it compatible with the newest processor.
Granted, this is an atypical situation in the PC world, and is not quite relevant to security. But indeed, with regards to security with PC’s and laptops, they often get maintained with security updates for many years. 
Phones have a long way to go. But I don’t blame Fairphone, I blame the fact that 90% of a phone’s “thinky bits” are integrated into one chip by Qualcomm or Mediatek, and they do not support these chips for anywhere near as long as they could.
You can also receive microcode updates for your processor, that can apply security/performance fixes at every boot. So even if the vendor stops supporting the hardware, there is still a way to stitch things up. I hope Qualcomm on Android does this as well, not just for the CPU.
To the Fairphone software developers:
If it’s not patchable at driver level, check and correct the number of frames above, on OS API level (sniffing for ALAC channels in media streams).
Or at least just scrap ALAC support: Nobody uses ALAC. Make it optional in the Android settings with default “no ALAC support”.
Leaving this unattended is simply not acceptable (having your device compromised just by surfing to the wrong website.) Maybe it would be better to not provide patches anymore, so users (like me) don’t get a false sense of security. At least display a big warning message after patching: “Your device is still prone to malicous media streams that can result in remote code execution”.
Please note this is a user forum. People at FairPhone may occasionally read along, but if you want your (adapted) message to reach them, you should contact FairPhone Support.
Just a reminder that what is happening to the FP2 will happen to the FP3 and FP4.
Qualcomm ends support for the SoC in the FP4 around late 2023.
Thats recognized and understood by FP and true for all devices using Qualcomm SOCs as well…So overall in first place a QC issue not a Fairphone issue and a fight David against Goliath…so we need a general change and Fairphone alone is most likely not big enough to do this
I would also like to learn something in this subject area. Maybe someone of you knows the answer to a few questions of mine. That would make me happy. 
Maybe a possible approach would be for Fairphone to team up with Graphene??? Graphene has announced that it wants to offer its “own” smartphones and is looking for a hardware manufacturer.
Doesn’t sound like a big ask, but have you asked Fairphone rather than the user forum ?
re kernel:
a device maintainer can pull in Linux patchsets from kernel.org, aosp-common kernel, or the Qualcomm common kernels.
If you do it on a regular basis it doesn’t take long to work through.
Preference would be latter branches as they’ll have more Android/Qualcomm specific fixes.
aosp-common is usually very close behind kernel.org, but CAF kernels are often a dozen+ sublevels behind.
For end of life kernels that are no longer supported by above (anything <=4.4) you can use a tool like my CVE patcher.
re: other updates to aftermarket systems
These are technically a huge gray area and Qualcomm could sue us all out of existence overnight if they wanted to.
no, but that´s a good idea
In the case of an end of life kernel, can’t a new version be installed that still has support?
This is for each chipset separately, and that is where problems begin with older ones that Qualcomm doesn’t support anymore. The last update for the FP2 for instance was in 2019. These files can be extracted from the Fairphone OS updates by ROM developers.
The Qualcomm components are compatible with a specific Linux kernel version, 3.4 in the case of the FP2. Fairphone has updated to the last point release of it (3.4.113).
Android devices are typically stuck to the same major version, hence why my patcher exists.
See FP2:
Thank you very much for your helpful answers!
How many years does a kernel version usually get security updates? What is the reason that at some point there are no more updates? With Qualcomm it is clear to me. This is a profit-oriented company that has no interest in “wasting” resources “unnecessarily”. They want to sell new chipsets.
Which kernel does the FP4 have and how long will it probably get updates? The CVE patcher would then have to be applied by the developer of the custom ROM, or can a completely inexperienced layman do that? The CVE patcher takes care of the kernel, but the Qualcomm updates are still missing, right?
