[m4r71n]

Side note: I wish there was an accepted industry-wide, machine-readable format for security advisories. It's kind of a pain that every project out there defines their own way, ranging from atrocious blog posts:

https://chromereleases.googleblog.com/2020/02/stable-channel...

to plain text files:

http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2015-001.t...

or custom XMLs:

https://www.openssl.org/news/vulnerabilities.xml

The CVRF standard promised to be this but is largely unused since it's fairly rigid and requires a lot of investment to get it right.

Even GitHub's advisories are fairly limited in the metadata they provide and only accessible through the GraphQL API.

[netsec_burn]

What about CVE+CPE? The NIST NVD provides a CVE+CPE API for your machine readable format, and CVE's are collected by MITRE.

[m4r71n]

Yes, but which open source project publishes CPEs for their vulnerability information? :-) Plus, an important part of every security advisory is specifying which versions are affected by a particular vulnerability versus which contain the fix and are thus no longer affected.