The Debian Kernel Team owns security support for Debian kernels in unstable and testing. Security fixes to kernels in stable are managed by the Debian Security Team. Like with any other Debian packages, users should not assume that all known security issues have been fixed in the unstable and testing versions. Less severe issues may be committed into svn but not uploaded until some more significant event triggers a release. Fixes that change the ABI maybe delayed to avoid breaking an existing release of DebianInstaller.
Tracking Security Vulnerabilities
The Debian Kernel team is notified of security vulnerabilities through multiple channels. The testing-security team tracks known security vulnerabilities in Debian/testing. The Ubuntu kernel team
Kernel Team -> Security Team Maintenance Hand-off
Sarge will be the first stable release since the kernel team came into existance. As such, the hand-off process between the kernel and security teams is still being defined. The biggest issue is how we manage security maintenance during the period of time testing kernels are frozen. During this period, the security team hasn't taken over maintenance yet, but the kernel team is no longer able to make changes that will automatically propogate into testing.
During the freeze, the kernel team is still actively tracking security updates for unstable. Also, the kernels in testing more closely resemble the kernels in unstable than the kernels in stable. These arguments suggest that the kernel team is the logical maintenance unit during this period, and this will hopefully save some work for the security team once the release occurs. The current procedure is to continue uploading security fixes to unstable. This makes the packages available in an environment that is likely to receive user testing. Once sarge is released, these packages can be used as the basis for security uploads.