A huge amount of time is spent simply mapping advisories to build artifacts which organizations care about and while curating with package taxonomies works, the curation cost scales linearly with the number of taxonomies. Practically speaking data collection will be limited in scope as a result.

However, the cost of curating vuln data with commits is decoupled from the cost of mapping those commits to packages. Mapping isn't free, but here's a demo of how it could work

https://codeberg.org/darakian/provenance-demo

vulnz.ch is a meetup I've been thinking about for a while. It's something I wanted to exist but couldn't find.

The idea is simple: bring together Zurich-based folks for a space dedicated to sharing knowledge about software security. That could mean presenting your analysis of an academic paper you've read, demoing a fork of an open source project you've been experimenting with, or showing off a tool you built during late-night coding sessions.

The first meetup is now being shaped, and the website is up and running. Check out vulnz.ch and sign up if you're interested in joining.

“To stress test it, I tasked 16 agents with writing a Rust-based C compiler, from scratch, capable of compiling the Linux kernel. Over nearly 2,000 Claude Code sessions and $20,000 in API costs, the agent team produced a 100,000-line compiler that can build Linux 6.9 on x86, ARM, and RISC-V.”

🤯

https://www.anthropic.com/engineering/building-c-compiler