Since GitHub now have support for security advisories for each repository, this is where you'll find up-to-date reports and policies. You can always find more details on MITRE's CVE-program, and an overview on CVE Details.
Most prominently, Grav itself and the Admin-plugin are what every other extension builds on, therefore their advisories and policies are most important to follow: