The Grouper project follows these guidelines on support and patching of previous releases.
The Grouper development team strives to maintain permanent backward compatibility of the core API across all releases.
Current and the previous two minor releases will receive active security patching by the core development team. As of May 2018, that means the 2.4.x, 2.3.x, and 2.2.x releases are maintained by the core development team. Releases outside of this window will be patched on a case-by-case basis depending on several factors, including: ease of development/testing of a patch for the version, compatibility of a patch for a supported release being applied to an unsupported release, and community contributions of patches for a targeted unsupported version.
Adopters who are running unsupported releases are encouraged to upgrade to supported releases. The Grouper development team will be happy to accept security patches for unsupported releases and make them publicly available to other adopters running unsupported releases. In addition, the Grouper development team will work with adopters running unsupported releases to assist on a best-effort basis with what would be needed for the adopter to develop their own patch against a known vulnerability.
References used in writing this policy
-Shibboleth Project: https://wiki.shibboleth.net/confluence/display/SHIB2/ProductVersioning
-Linux Kernel Project: https://www.kernel.org/category/releases.html
-Samba Project: http://www.samba.org/samba/devel/
Grouper Security Patches
Grouper InCommon Trusted Access Platform Package Versioning