For Docker Enterprise Edition (EE) products, critical security information including patch updates are communicated to all Support Administrators and Authorized Contacts for the account. There is no mailing list or other communication mechanism to a general audience since notifications are sent to the contacts listed in the customer account directly. To learn how to add Authorized Contacts to your account, refer How do I add or remove an Authorized Contact?
For Docker Community Edition (CE) products, critical security information including patch updates are conveyed by the maintainers of their respective projects. Specifically for critical security vulnerabilities, general disclosure typically happens alongside the release of a fix for the vulnerability.