Business author and expert, H. James Harrington, once said, “If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it.” He was right. And Google is following this advice by introducing a new way to strengthen open-source security by introducing a vulnerability interchange schema for describing vulnerabilities across open-source ecosystems.
That’s very important. One low-level problem is that there are many security vulnerability databases, there’s no standard interchange format. If you want to aggregate information from multiple databases you must handle each one completely separately.
