Splunk makes reasonable efforts to issue releases to mitigate or fix vulnerabilities for all applicable, supported versions. See the Splunk Software Support Policy for the list of supported versions.
Splunk releases, including maintenance and major releases, incorporate cumulative fixes for all prior vulnerabilities fixed.
For critical-risk, high-impact vulnerabilities, Splunk makes reasonable efforts to expedite maintenance releases for all affected, supported versions.
For critical-risk, high-impact vulnerabilities, Splunk makes reasonable efforts to supply patches, assuming that patches are a viable stop-gap for customers who cannot otherwise upgrade Splunk.