We've just added a page detailing CiviCRM's security policy and release process.
This page is intended to help people identify how they can stay abreast of security updates, know when to expect them, and how to tell which release of CiviCRM to expect security fixes for.
If you maintain or operate a CiviCRM site (or sites!) then you this is a page you should be familiar with, and there are a few actions you should take -
The CiviCRM community are making ongoing efforts to improve CiviCRM's security and processes, and we hope this will help our users better understand, manage and organize security on their CiviCRM sites.