I think once our install guides are all out and the documentation is in place, we should go through it with a mind for security. Our default install should be as locked down as possible, IMO.
For example: I think Aolserver should probably be installed in a chrooted environment, and why don't we just go ahead and do this in the install guide?
I'm willing to help out with this once the docs are released and we go beta.
And then let's try and hack our own sites. Once I get my OpenACS site up, I'll volunteer to be a target.