Docs: Update supported versions and security patching details

[vanessayuenn]

Clarified security patching policy for supported versions and updated example version.

Closes #

What I did

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

• stories
• unit tests
• integration tests
• end-to-end tests

Manual testing

Caution

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

Documentation

• Add or update documentation reflecting your changes
• If you are deprecating/removing a feature, make sure to update
  MIGRATION.MD

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli-storybook/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  • bug: Internal changes that fixes incorrect behavior.
  • maintenance: User-facing maintenance tasks.
  • dependencies: Upgrading (sometimes downgrading) dependencies.
  • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
  • cleanup: Minor cleanup style change. Will not show up in release changelog.
  • documentation: Documentation only changes. Will not show up in release changelog.
  • feature request: Introducing a new feature.
  • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
  • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook publish.yml --field pr=<PR_NUMBER>

Summary by CodeRabbit

• Documentation
  • Revamped security patch policy using a major-version tiered approach: the latest major version receives all security fixes; the previous two major versions receive only High or Critical CVSS vulnerabilities (7.0+); older versions are unsupported.

[github-actions]

	Fails
🚫	The "#### Manual testing" section must be filled in. Please describe how to test the changes you've made, step by step, so that reviewers can confirm your PR works as intended.

Generated by 🚫 dangerJS against ff1c24a

[kylegach]

Looks good! I suggested adding some links to the CVSS definition.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request updates the security vulnerability policy for the project to use a tiered, major-version-based approach. The latest major version receives all security patches, the previous two major versions receive only High or Critical CVSS (7.0+) patches, and older versions receive no patches.

Changes

Cohort / File(s)	Summary
Security Policy Updates SECURITY.md, docs/releases/index.mdx	Replaced narrative "Supported Versions" policy with tiered security-patch scheme based on major versions. Updated version examples, added explicit CVSS vulnerability thresholds (7.0+), and restructured documentation with detailed bullet points explaining patch eligibility by version tier.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/releases/index.mdx`:
- Line 31: Fix the typo in the release note sentence that reads "Older versions:
No longer recieves any patches" by changing "recieves" to "receives" so the line
reads "Older versions: No longer receives any patches"; locate and update that
exact string in the docs/releases/index.mdx content.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 60996ad and ff1c24a.

📒 Files selected for processing (2)

• SECURITY.md
• docs/releases/index.mdx

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Typo: "recieves" → "receives".

📝 Proposed fix

-- Older versions: No longer recieves any patches
+- Older versions: No longer receives any patches

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- Older versions: No longer recieves any patches
	- Older versions: No longer receives any patches

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/releases/index.mdx` at line 31, Fix the typo in the release note
sentence that reads "Older versions: No longer recieves any patches" by changing
"recieves" to "receives" so the line reads "Older versions: No longer receives
any patches"; locate and update that exact string in the docs/releases/index.mdx
content.