Emma - see here: http://docs.moodle.org/dev/Releases#Moodle_1.9
Nate - unfortunately I don't think this will be something that can be easily "tracked" by the "general public"
Security issues are usually reported in the Moodle tracker and if they are flagged as "serious" then only the Security team can view them and because 1.9 is no longer supported these bugs may be closed as "won't fix" but probably won't be made completely public as that could potentially cause more issues for users still running 1.9. If this is really important to you I'd suggest you engage your local Moodle Partner to help track this.
Thanks Dan. We're hosting our own Moodle, and it's fairly large, around 20 thousand users, and we don't really have a relationship with a Moodle Partner. What's involved in getting on the security team. It's going to be in our interest to make sure these things are fixed, and if it's an issue that effects us, I'd be happy to work on patches. Any idea who I should contact?
Nate, if you can commit to tracking the security bugs on 2.x and backporting them to 1.9 as necessary (which means keeping up with all the security issues being integrated for 2.x, producing clean, trustworthy, safe patches for 1.9.x as branches in a github repository and then creating new issues in the tracker and submitting them for integration), then we will continue integrating them. Contact me direct and I'll get you set up!
Just adding a link to Dan's recent post offering to fix serious security issues in 1.9 up to December 2012 - Re: Moodle end of life 1.9 plans.
Martin (et all),
We discussed this at our meeting this morning and while we can't commit to taking on the role you described, we can put programming time toward fixing the issues as they come up, as long as we're still working with 1.9. I'll talk to Dan to see if I can work with him to share the programming load. Thanks for being open to this. Wish we could do more.