Comment 50 for bug 1996188

Our vulnerability management policy only requires the availability of backports to affected stable branches under normal maintenance in order to issue an official security advisory. It does not preclude also producing backports to older branches under extended maintenance, and we include those in our advisories (as well as pre-publication notifications to downstream stakeholders) if they happen to be available. What it means is that we won't hold up notifying stakeholders or publishing an advisory for maintained stable branches if there are delays or challenges backporting to older branches.