As you mentioned, https://moodle.org/security/
is a good place to start; all security fixes will be published there approximately 1 week after the fixed versions are released, and include their (general) severity and a link to the git
diff so you are able to see which changes need to be applied. Moodle 3.5.x will be security supported until May 2021, so you'll be able to see which fixes are applicable to that Moodle version until then.
Security fixes are released as part of minor releases, and you can see when those will take place the release calendar
If you would like to receive security fixes by email, you can also sign up to security alerts by registering (or re-registering) your Moodle site. This gives you the added benefit of receiving the alerts earlier (usually on the day fixes are released, rather than waiting for them to be published the following week). To set this up, log into your Moodle site as an admin, navigate to Site administration / Registration, fill in the relevant details, and ensure you set the "Notifications of new Moodle releases, security alerts and other important news field" to "Yes" before submitting the registration.