I just use
unattended-upgrades
and forget about itFor Ubuntu, I use https://ubuntu.com/security/oval
Fediverse and RSS mostly.
You can watch rss feeds to follow all CVEs like Microsoft’s https://api.msrc.microsoft.com/update-guide/rss
NIST used to have an rss feed for CVEs but deprecated it recently. They still have other ways you can follow it though https://nvd.nist.gov/vuln/data-feeds
Or if you just want to follow CVEs for certain applications you can host/subscribe to something like https://www.opencve.io/welcome which allows you to filter CVEs from NIST’s National Vulnerability Database (NVD)
Mailing list provided by my distro. https://lists.debian.org/debian-security-announce/
Found out about the xz one on Lemmy. Years ago I was briefly subscribed to Bugtraq but that was too much. Now I’m subscribed to a few OS specific security announcement mailing lists.
I tend to find out about vulnerabilities before it hits the news outlets from the rss feed at https://seclists.org/oss-sec/
Other than that, I’ve got a bunch of other security feeds I follow and also have automated updates with just about everything.