Russ Cox of Go language team has drafted a proposal for a shared
vulnerability format for open-source packages with goals to enhance
interoperability between language teams, security researchers, and
cross-language databases.
See google doc [0] and his original tweet [1].

[0] https://docs.google.com/document/d/1sylBGNooKtf220RHQn1I8pZRmqXZQADDQ_TOABrKTpA/edit#heading=h.ss425olznxo
[1] https://twitter.com/_rsc/status/1386682831770988545

Hello,

On Thu, 29 Apr 2021, Konstantin Kulikov wrote:

> Russ Cox of Go language team has drafted a proposal for a shared
> vulnerability format for open-source packages with goals to enhance
> interoperability between language teams, security researchers, and
> cross-language databases.
> See google doc [0] and his original tweet [1].

I have responded to him on Twitter.  We have been talking about a similar 
idea in ##distro-security on freenode.  It looks to me like both concepts 
are complimentary to each other (we are talking about federating security 
data between internal distro trackers, using JSON-LD and Linked Data 
Notifications), as Russ's proposal provides a reasonable vocabulary for 
the security data to use.

Maybe we can get everyone together in ##distro-security to talk about this 
and organize something?

Ariadne

> Maybe we can get everyone together in ##distro-security to talk about this
> and organize something?

I'm not involved in this work, just thought it would be useful for alpine.

From the doc:
>This format is still in early stages, a work in progress. Feedback from maintainers of other vulnerability databases is most welcome. Please feel free to add comments directly to the doc (preferred) or to mail rsc@google.com. Once we have some confirmation that the approach is viable and adoptable (perhaps after further modifications), we intend to move this document to an appropriate permanent home.