Idea: Federating Software Vulnerabilities

In line with improving the Supply Chain control of Free Software, and loosely related to Idea: Federated Supply-Chain Packaging, @indieterminacy mentioned in chat the:

Open Source Vulnerability Format


There are many problems to solve industry-wide concerning vulnerability detection, tracking, and response. One low-level problem is that there are many databases and no standard interchange format. A client that wants to aggregate information from multiple databases must handle each database completely separately. Databases that want to exchange information with each other must also each have their own parser for each format. Systematic tracking of dependencies and collaboration between vulnerability database efforts is hampered by not having a common interchange format. See our blog post for more details.

This document defines a draft of a standard interchange format. We hope to define a format that all vulnerability databases can export, to make it easier for users, security researchers, and any other efforts to consume all available databases.

The format is such that it might be encoded as an ActivityPub object in a vocabulary extension. This topic is a placeholder for an idea to federate vulnerabilities in FOSS so they can be tracked, archived, analysed, etc.