What can I subscribe to, to hear about news like that in a more systematic fashion? I mean, monitoring all CVEs might be a little to much for somebody who isn't full time security professional, but there surely must be some reasonable compromise between that and position like "this browser is secure because tptacek said so".
I don't mean anything against tptacek personally, but without any substantial grounding this is as good as believing Keith Alexander/Michael Rogers/Vladimir Putin/Osama bin Laden/coin toss. In fact, coin toss might be the most secure of all, as I surely know it doesn't try to fool me on purpose.
US-CERT publishes alerts on vulnerabilities affecting common software. Several RSS feeds available. They also have weekly vulnerability summaries for a wide range of software.
I don't mean anything against tptacek personally, but without any substantial grounding this is as good as believing Keith Alexander/Michael Rogers/Vladimir Putin/Osama bin Laden/coin toss. In fact, coin toss might be the most secure of all, as I surely know it doesn't try to fool me on purpose.