1) See http://noc.postnuke.com/mail/?group_id=5 - the lists are still offline as a result of our ongoing gforge upgrade but that's the list you need
2) The best lists are kept by the security companies themselves - secunia, security focus etc.
I'd add that any module that doesn't work on
PN .750 on a server set with register globals off should be considered a risk. The module not working suggests that the coding makes assumptions about database connections, globals variables, input that are a potential risk.
3) Not sure there's a need.... We've a security contact for reporting
security issues to the team and security can be discussed in each forum as approapriate.
4) Sign up for security mailing lists - not just our one but ones like secunia. Keep the server and associated software (
PHP, apache, mysql) patched up to date. Configure each component for security (see the relevant software sites for details)
e.g. set register globals off in php.ini.
On the
PN side of things test each module in an isolated test enviroment first. If your comfortable with
PHP code audit the module code prior to using it. Possibly try out some simpler, common exploits -
e.g. non numeric strings where a numeric value is expected. There are various articles around the web on securing
PHP code - take a look at these with a view to testing modules for each exploit technique.
-Mark