There is currently a scary number of vulnerability tracking systems, all doing pretty much the same work. One can find a list of most popular ones at CVE Reference Key page. We could expect better security from having so many projects, but in fact the net result is that we don't have any comprehensive source of information. Aggregators like CVE, Secunia and SecurityFocus, help track security issues, but none of them is complete, and it's not very easy to find relevant info when you get five or more secunia advisories for a bug in some wide-spread library - and all of them are about OS updates, not the lib in question.
Some operating systems, like FreeBSD, even have more than one vulnerability tracking facilities. Some vendors provide commercial support for their producst (e.g. RedHat, SUSE) and have all the reasons for using their own, proprietary security frameworks. And we should not forget that what constitutes a piece of third-party software for one OS, can come bundled in another one, complicating information an advisory should contain.
Upak aims at alleviating security tracking issues and seeks a way to make collaboration possible. To name a few possibilities:
- A new aggregator, crafted to be compatible with data formats of many security trackers. It is to have automatic import and on-demand export capabilities, so that any project can easily evaluate and import foreign advisories from the aggregator.
- A new tracker, much like the aggregator, but directly write-accessed by developers and security officers, who need to create a new entry. Automated export capabilities should be present in order for projects to retain their current data formats.
- A new tracker, encompassing most needs of many projects, which these projects agree to switch to. Direct read-write access for all interested parties requires well-tuned access-control (i.e. so that a Debian security officer would not be able to alter the effect an advisory has on OpenBSD, for example).