Any software occasionally has bugs, and sometimes these bugs have security implications. When security bugs are fixed in the core software, modules, or themes that your site uses, they are released in a security update. You will need to apply security updates in order to keep your site secure. See Section 13.4, “Keeping Track of Updates” to learn how to be notified of security updates by email, and Section 13.5, “Updating the Core Software”, Section 13.6, “Updating a Module”, and Section 13.7, “Updating a Theme” to learn how to make updates.
The Drupal open-source project has a team of volunteers who track security-related bugs and release security updates. They also help other developers fix bugs, and maintain information for users on how to keep their websites secure. You can learn more about the security team and their practices and processes at the Drupal.org Security Team page.
It is important that security problems be kept confidential until they are fixed, so that sites are less likely to be compromised before they can be secured. If you find a potential security problem in any of the software you downloaded from the Drupal.org website, follow the procedures on the Drupal.org Security Team page to report it.
The core software, modules, and themes also periodically have regular updates to add new features and fix bugs. These updates are less critical than security updates. As a general best practice, updates should be applied as long as they do not cause problems with your site. Testing on a development copy of your site is always a good idea before applying updates on a live site. This is because some updates may include changes that are not compatible with the modules or themes on your site, or that will break a particular functionality on your site.