Since GitHub now have support for security advisories for each repository, this is where you'll find up-to-date reports and policies. You can always find more details on MITRE's CVE-program, and an overview on CVE Details.

Most prominently, Grav itself and the Admin-plugin are what every other extension builds on, therefore their advisories and policies are most important to follow:

Found errors? Think you can improve this documentation? Simply click the Edit link at the top of the page, and then the icon on Github to make your changes.