Vulnerability History Project integration/collaboration

Skip to first unread message

Chris Horn

Apr 1, 2021, 6:42:18 PM4/1/21
to, Andy Meneely, Nuthan Munaiah

I'd like to figure out how can integrate or collaborate with the Vulnerability History Project (VHP).

There seem to be a few possibilities:
1. Introduce you to our vulnerability contributing commit (VCC) mining software called archeogit
2. Cross-link vulnerabilities in with those in VHP
3. Develop joint pipeline/workflow for importing vulns (related:

The VHP project is led by Dr. Andy Meneely at Rochester Institute of Technology (RIT). Secure Decisions (the company where I work) is partnered with RIT to help fund the VHP project and develop insights from its work (useful to software engineering management and vulnerability hunting).

In VHP, volunteer "data shepherds" manually curate a rich set of information about vulnerabilities in popular open source software projects. VHP currently has curated data for Apache httpd, Apache Struts, Apache Tomcat, Chromium, Django, and FFmpeg.

Sampled curated vulnerability:
Apache Struts vuln that led to CVE-2017-5638, Equifax beach

Other examples are in `<project>-vulnerabilities/cves/*.yaml` files.

The concept of VCC (vulnerability contributing commits) seems the same as the `introducedIn` attribute. This is valuable information to researchers who want to study the state of a project when a vulnerability introduced, rather than when it was fixed.

We have developed a tool called archeogit to automatically identify commits that likely contributed to a vulnerability. VHP uses archeogit to seed CVE YAML data with candidate VCCs, which are then manually validated by the data shepherds.

Looking forward to talking more soon,
w (518) 207-3111
m (703) 407-7389
PGP fingerprint EBD0 41C6 0CD1 3583 C7F2 E252 5350 DDE1 87C6 FE31

Abhishek Arya

Apr 1, 2021, 7:01:29 PM4/1/21
to Chris Horn, Oliver Chang, Russ Cox, osv-discuss, Andy Meneely, Nuthan Munaiah
+cc Oliver who is OSV lead developer (ooo till tuesday - sydney timezone). Also ccing Russ who is involved with vulnerability schema discussions.

You received this message because you are subscribed to the Google Groups "osv-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

Oliver Chang

Apr 5, 2021, 9:51:14 PM4/5/21
to Abhishek Arya, Chris Horn, Russ Cox, osv-discuss, Andy Meneely, Nuthan Munaiah
Hi Chris,

On the OSV side, our data is public at This is currently all generated from automated analysis (including performing bisections). We would be very happy to see this data and automation used more widely used in other places!

Thanks for introducing us to Archeogit -- it looks quite interesting and we'll explore if we can use this. 


Reply all
Reply to author
0 new messages