A little late, but nevertheless, a summary of what happened in security relating to me in 2009:
In other words, the Calendar Deserialization issue. It was fixed by Sun Microsystems in 2008, but it still got a lot of attention in 2009:
In March, Julien Tinnes used his exploit of it in the CanSecWest Pwn2own competition, only to be disqualified, because we both had tipped Sun and Apple about the issue.
In May, Julien wrote an excellent bit on the vulnerability on his blog and also about the fact that Apple still hasn't fixed it. Landon Fuller also posted a proof-of-concept implementation of the exploit in an attempt to get Apple's attention to it. All this created quite the buzz, and a lot of articles were written on the topic. My personal favorite was this funny arcticle by Angela Gunn on betanews.com.
In mid-June, Apple released a security update for it's Java that fixed the issue in OSX.
In July, it was nominated for The Best Client-Side Bug Pwnie (didn't unfortunately win, though).
Still at the end of the year, it gained attention because of various exploit kits using it as a vector to infect people who hadn't updated their Java.
CVE-2009-2670 was fixed by Sun Microsystems in August, as a part of Java SE 6 Update 15. It's a cute little vulnerability which allows read access to Java System properties and one of the first one's ever found by me.
Zero Day Initiative
I started collaborating with ZDI in 2009 and it's been extremely satisfactory so far. Some of the fruits of this cooperation can be observed in the upcoming advisories section of their site:
ZDI-CAN-552, ZDI-CAN-603, ZDI-CAN-588, ZDI-CAN-623, ZDI-CAN-628, ZDI-CAN-667
I was going to look into working with VeriSign's iDefense program as well, but the link for the zip with additional information on their new user page has been pointing to a 404 since at least september. I tried emailing them in mid-september, but finally gave up.