Does apache tomcat have a support lifecycle in the same way that Microsoft apps like Windows do? And how regularly do they issue security updates for tomcat, e.g. monthly? We have got to do some reporting on unsupported software and we don't have an automated vulnerability scanner to do it so its becoming somewhat of a manual reports albeit not over that many systems. I am trying to find some accurate on data though on which to determine 'is it supported or not'.