So to fulfil my employer’s compliance requirements, I need to watch a full NIST CVE feed to watch for Julia security issues. Edit: And that’s fine if that’s how it is. The point of this thread was to ask if the project offers anything better.
If you are interested and have time to spare, you could make a habit of opening issues with the keyword or label “security” in them when you spot something relevant in the NIST CVE feed. That way other people might be able to use the suggestions from this thread.
Just as an update for posterity, we now have an official JLSEC advisory prefix that works well within the OSV ecosystem. You can find them at JuliaLang/SecurityAdvisories.jl, osv.dev, and (hopefully) your favorite vulnerability scanner including trivy and dependencytrack.