The recently added "Contributing" guide includes some notes about Mongoid's security patching policy. These would be better to be moved to a dedicated Maintenance Policy as Rails has done:

https://guides.rubyonrails.org/maintenance_policy.html

In addition, this policy should make clear how many major versions will receive security patches; currently the supported versions are specifically listed, but the logic of why they are supported is not clear to users.