Each GeoServer release is supported with bug fixes for a year, with releases made approximately every two months.
This approach provides ample time for upgrading ensuring you are always working with a supported GeoServer release.
If your organisation is making use of a GeoServer version that is no longer in use by the community all is not lost. You can volunteer on the developer list to make additional releases, or engage with one of our Commercial Support providers.
If you encounter a security vulnerability in GeoServer please take care to report in a responsible fashion:
Please send a mail directly to firstname.lastname@example.org (moderated list with no possibility to subscribe, please just send directly to the address, the mail will be evaluated and eventually posted) and provide information about the security issue you might have found there.
For more information see Community Support.