Current and the previous two minor releases will receive active security patching by the core development team. As of April 2016May 2018, that means the 2.34.x, 2.23.x, and 2.12.x releases are maintained by the core development team. Releases outside of this window will be patched on a case-by-case basis depending on several factors, including: ease of development/testing of a patch for the version, compatibility of a patch for a supported release being applied to an unsupported release, and community contributions of patches for a targeted unsupported version.
Adopters who are running unsupported releases are encouraged to upgrade to supported releases. The Grouper development team will be happy to accept security patches for unsupported releases and make them publicly available to other adopters running unsupported releases. In addition, the Grouper development team will work with adopters running unsupported releases to assist on a best-effort basis with what would be needed for the adopter to develop their own patch against a known vulnerability.
References used in writing this policy
-Shibboleth Project: https://wiki.shibboleth.net/confluence/display/SHIB2/ProductVersioning
-Linux Kernel Project: https://www.kernel.org/category/releases.html
-Samba Project: http://www.samba.org/samba/devel/