Most of the Debian Security Audit Project is conducted in private, via individuals performing audits and only disclosing details once a Security Advisory has been issued.
However there is a public mailing list which can be used to ask for guidance, or discuss general issues.
Note To avoid spam you must subscribe to the mailing list in order to post.
To join the list simply send a message with a subject of subscribe to:
debian-audit-request@shellcode.org
(To unsubscribe give your message the subject of unsubscribe.)
The mailing list is archived publically.