chore: update SECURITY.md with supported versions section

kate-goldenring · kate-goldenring · commit bcc66f07a24f · 2025-04-02T14:16:07.000-07:00
Signed-off-by: Kate Goldenring &lt;kate.goldenring@fermyon.com&gt;
diff --git a/SECURITY.md b/SECURITY.md
@@ -9,3 +9,9 @@ The Spin team and community take security vulnerabilities very seriously. If you
 We will disclose any security vulnerabilities in our [Security Advisories](https://github.com/spinframework/spin/security/advisories).
 
 All vulnerabilities and associated information will be treated with full confidentiality. We are thankful for your efforts in keeping Spin secure, and we will publicly acknowledge your contributions if you wish.
+
+## Supported Versions
+
+- We will support **the current MAJOR version, and the latest MINOR version within that MAJOR version, until two months after the release of a new MAJOR version**. Only PATCH releases of a MAJOR release, which is in the two month window, will be made available. For example, if v2.0 is released on 3/1/2023. v1.x will be supported until 5/1/2023, which is two months after v2.0 is released. Within the two month period (3/1/2023 - 5/1/2023), v1.x will only receive PATCH updates.
+- We will support **the current MINOR version, within the latest MAJOR version, until 1 month after the release of a new MINOR version**. For example, if v1.1 is released on 4/15/2023. v1.0 will be supported until 5/15/2023. Within this period, PATCH releases will still be made for any critical fixes to v1.0.
+- Only **the latest PATCH version, for any MAJOR.MINOR version** is supported. When a new PATCH version is released, any issue raised, will be fixed by a new PATCH release (roll-forward). For example, if v1.0.1 is released, and an issue is being raised based on v1.0.0, the immediate ask on the user is to upgrade to v1.0.1. If the issue is also in v1.0.1, a new PATCH version will be released as v1.0.2.
