CiviCRM security release announcements are announced via email and website.
Security releases are made for supported versions of CiviCRM only. Previous / unsupported versions will not receive security advisories. Where possible, advisories will state which prior versions of CiviCRM were affected by the issue resolved in the current release - but generally the most secure approach is to ensure you are running a current release.
Whenever there is a new security release, it will be published on the first or third Wednesday of the month. As a courtesy, the security-team will generally provide advance notice by sending email to the security notification list in the weeks before, but this will depend on circumstance. On the day of release, updates are generally published near the end of the day (US/Pacific timezone).
If you think you have discovered a security issue in CiviCRM, please follow the following procedure -
The CiviCRM security team will co-ordinate a release once they have identified and resolved the issue. You will be credited with having reported the issue (unless you request anonymity) and for any part you take in its resolution.
This policy was written with reference to the following: