Any chance you know how they manage that? Surely not every package in the repos is supported for the entire 2 year cycle, so if a vuln comes out after a major refactor, it’s surely not easy to backport the patch.

They auto-import CVE feeds into the security tracker, file bugs for Debian maintainers to fix the issues, curate the tracking data, coordinate with upstreams and other distros to get fixes and so on. Some more on the team web page.

https://security-tracker.debian.org/ https://security-team.debian.org/

Theres some information here they've put out: https://www.debian.org/security/faq

And yeah it must be an incredible amount of work to stay on top of all this