It probably wouldn't raise much argument that over the past several years, the most serious and widely reported/recognized vulnerabilities have come out of isec.pl. A large reason for this is that they were one of the few groups that would actually publish exploit code. In a misguided view of security, many don't perceive there to be any "threat" unless a weaponized exploit is made public (clearly visible by continued mentions of the "vmsplice" boogey-man, for example).
The last 3 and the first one are credited to Wojciech Purczynski (email@example.com), while the remaining 10 are credited to Paul Starzetz (firstname.lastname@example.org). The last 3 from cliph are during his employment at COSEINC.
Paul Starzetz had this to say about the Linux kernel (from http://searchenterpriselinux.techtarget.com/news/article/...):
"First the problem [with] Linux is that there are too many people 'hacking' the code. It has reached a complexity where the 'I-hack-quickly-some-code' approach doesn't work anymore."
and in reply to a security advisory dismissing one of his vulnerabilities as a "DoS" (from http://www.security-express.com/archives/bugtraq/2006-07/...):
"I really wonder why in the recent past there is a tendence to declare
such things as "denial of service" etc - while they are perfect root
backdoors / vulns
*B000M* you are in one minut^K^K^Ke later...
Maybe this is just to hide the overall bad quality of the 2.6 kernel
code? *just guessing*
Anyway CVE-2006-2451 is trivially exploitable so I don't attach any
exploit code since it is obvious..."
I should also mention that since October 15, 2007, Paul Starzetz has been employed by Immunity, who specifically practices non-disclosure. So if you're patting yourselves on the back because he hasn't made public any more serious exploits in the kernel, it has nothing to do with the quality of the code.