does WordPress post Security Advisory in case of vulnerability in WP or popular plugins?
Not for plugins, no. They are simply removed from the Plugin Repository and the plugin’s author contacted with the details. with core, the general issues are not published until a fix/update has been created and published. We do not want to make the hackers’ lives too easy, now do we? 🙂
Is there any mailinglist or something where I can get messaged if an update is available?
http://wordpress.org/news/category/security/
However, by that time, an update will have been released and you will have been notified of it via your own site.
For the purposes of receiving update notification email — not necessarily related to security — you can use WP Updates Notifier.
http://wordpress.org/extend/plugins/wp-updates-notifier/
I’ve been running it for some weeks now and it appears to work very well.
To know when a plugin is removed from the WordPress.org repository, you can use
http://wordpress.org/extend/plugins/no-longer-in-directory/
It does not send you email notices but I know of no other way to be informed that a plugin has been removed for security or any other reason, other than manually checking each of your plugins at its original wp org plugin page. If the page gives you a 404 you are expected to deduce that it has been removed.
To try to get ahead of vulnerabilities as they are discovered in the wild, you can set yourself up with some Google Alerts on phrases like “wordpress vulnerability.”
Be cautioned however that search engine results will often contain spurious claims and hustlers trying to sell magic security pills. So if you are not confident that you can tell the difference, you’re honestly better off waiting for something official. The biggest trouble I got myself into early on was letting some alarmist internet chatter scare the stuffing out of me, racing to prevent/protect and getting in way over my head.
