Google Proposes An Open-Source Vulnerability Interchange Schema

As part of Google's latest work on trying to enhance open-source software security, months after starting their own open-source vulnerability database they are now looking to push an open-source vulnerability interchange schema to make it easier to exchange information on vulnerabilities and making it easier for automated analysis.

Google hopes this will be adopted as a unified vulnerability schema used by open-source projects for relaying details about vulnerabilities. In large part the emphasis on this schema is to make it easier for automated analysis and processing while the JSON-based format can be converted into human-friendly output as well with ease.

Here's a look at the design in its near-finalized state.

Google has been working with projects like Go, Rust, Python, and their own OSS-Fuzz for supporting this schema as they work towards finalizing it.

More details on Google's open-source vulnerability schema can be found via the Google Security blog.