Hi @Jim_M  - you can sign up for security alerts at https://interact.f5.com/Customer-Preference-Center.html

We'll also have a banned banner up across DevCentral for CVEs, with a link to mitigation strategies - but for the most complete notifications, make sure to sign up at the Preference Center. 

There really isn't a single answer to this:

You can check MyF5 for new SecurityAdvisories: https://my.f5.com/manage/s/new-updated-articles#sort=%40f5_updated_published_date%20descending&f:@f5...

You can also create an RSS feed to monitor this on an ongoing basis.

For first-party security advisories (the type of thing F5 discloses in our QSNs), you can subscribe to 'F5 Security Announcements' here https://interact.f5.com/Customer-Preference-Center.html

For attack signature updates you can subscribe to 'F5 Security Operations Notifications' on the same page.  But you're better off using the automatic update/notification in the product than the email for this.

Note that there is very often no one-to-one mapping between WAF rules and a given CVE.  You may have one rule that addresses may CVEs, or multiple rules that handle different aspects of one CVE, etc.  It is very, very common that when a new CVE comes out there are already existing rules that block it - so nothing new is published.  The long and short of that is there is no 'index' where you can look up a CVE and say 'these rules block this CVE'.  There just isn't any exhaustive mapping, even internally.

There may be a rule that mentions a given CVE, but just because a CVE is *not* mentioned doesn't mean the WAF can't block it.  More often than not it can - it is just one of the basic WAF rules that blocks a whole family of vulns that does it.