I wasn't fully clear on this either
As the LMDE FAQ answers, if security updates are the utmost important to you, you should use Debian stable instead. zerozero was kind enough to answer my questions on this. I hope that with below addition to the LMDE FAQ section that ElderDryas was kind enough to link you to, you have a better understanding of how security updates are handled. Recall that a default LMDE installation is using Debian testing
repositories (though buffered, to allow for testing time to increase stability).
How does Debian testing handle security updates?
- Debian testing doesn't have a security team as you see for example in Debian stable (or in other distros); and why? the changes are so fast that it doesn't make sense (any possible security breach will be covered by the next version - in 2, 5 or 10 days);
- in very special situation (when the problem is too big or the maintainer doesn't respond in time) Debian has NMU (non maintainer's uploads) mostly used to cover these issues;
How does LMDE handle security updates?
- if you are using the UP [Update Pack] you have a buffer from updates from Debian testing (and here is the possible problem): this last UP (UP3 to UP4) was unusually long (all the others were delivered in the one month(ish) time-frame)
- Clem has stated it the past that if a security issue is important enough that it requires immediate action, LMDE developers can push it via the LM repos, or even trigger a new Update Pack just to pick it up. (viewtopic.php?f=186&t=84894&start=0#p491421)
You can review the LMDE FAQ for options to have LMDE use a different repository, so as to increase the frequency of updates (not just security), at the expense of possible decreased stability. Using Debian testing is a two-edged sword