My thinking here is pretty simple, we have a variety of "compatibility modes" for the API and data tagging:
1) We have a "CVE only" data feed, easy, everything with a CVE alias.
3) We have a "vulnerability" data feed which is stuff that is generally attacker exploitable/triggerable, wider scope of coverage than CVE (e.g. better service coverage)
4) Everything else (the less well defined stuff)
in combination with this I'm also hoping to start collecting and analyzing the data to get things like confidence scores around how correct and/or complete an entry it, how likely is it to be exploitable (e.g. EPSS https://www.first.org/epss/
who might hopefully start feeding data to us soon) so e.g. someone can say "I just want the stuff that is actually being exploited/seen/has exploit code/PoC code" vs "give me all the vulns" vs "give me everything".