They auto-import CVE feeds into the security tracker, file bugs for Debian maintainers to fix the issues, curate the tracking data, coordinate with upstreams and other distros to get fixes and so on. Some more on the team web page.

https://security-tracker.debian.org/ https://security-team.debian.org/