Add the vulnerabilities database to the site; but don't link it in
yet until it's working totally. To change or add a vulnerability you
exit vulnerabilities.xml then run an xslt processor on that file with
the vulnerabilities.xsl stylesheet and out will pop vulnerabilities.wml
that the website knows how to process. For now we make the user who
commits the change do this, and also commit in the wml file. We could
probably do this at make time with some perl, but the openssl site
doesn't have all the dependancies needed for XML::XSLT yet.
Although a lot of this information is in our changes file and in news
items on the site there isn't a single place where you can get a
complete overview of the vulnerabilities. A CSO I was speaking too
this month was suprised by how few issues there had been and thought
there were many more serious issues that had affected OpenSSL, this
page is, unsuprisingly, similar to the Apache httpd vulnerabilities pages
and is based on raw data I've been collecting on vulnerabilities for
Red Hat.