Hi,

I am a PhD Student at NC State University. As part of our research, we are evaluating the existing tools that detect vulnerable dependencies. We have observed that the tools’ result can differ based on the strength of its vulnerability database. For our research, we are hoping to understand more on how services like GitHub maintains its vulnerability database. We’d be grateful if we get some responses for the below questions.

1. What are your sources for vulnerability data, e.g. NVD, OSS Index?
2. Do you have any process to discover open source vulnerabilities by yourselves, e.g. through monitoring bug repositories? If yes, is it possible to share with us a high level explanation of what you do?
3. When collecting vulnerability data from third-party databases (e.g. NVD), do you perform any curation and/or correction, e.g. discarding debated CVEs or correcting the affected version range? If yes, is it possible to share with us a high level explanation of what you do?

Thanks,
Nasif