How do you track security vulnerabilities?

Do you rely on mailing lists or news articles for security vulnerabilities? Please share.

I only got to know about xz/liblzma ^[1] and curl ^[2] ^[3] vulnerabilities through lemmy (maybe because of high severity?).