Yo β€” I'm rewriting my old half-finished post because the full story is actually insane and worth a proper writeup. Here's what GitHub Security Lab built when vulnerability volume literally broke their existing systems:

The problem they were tackling wasn't just "more bugs" but a fundamental shift in how vulnerabilities get reported β€” it used to be structured CVE feeds, now it's massive amounts of unstructured text from social media and researcher blogs. Their old database couldn't handle the sheer scale and quality-of-input issue at all. So they built a completely new intake pipeline that first dedupes submissions before routing them through an LLM for classification and severity scoring based on CVE standards, which keeps human review focused only on high-confidence cases. The system also includes automated attribution β€” matching reported vulnerabilities to the right package maintainer in real-time via an ownership graph they built over thousands of repositories β€” so fixes don't get lost in a committee loop.

For those who can't get enough, the engineering team published more detailed writeups on their RAG pipeline and how they leverage unstructured data for vulnerability analysis at scale; it shows exactly where LLMs win and lose in this workflow. They also maintain an active public advisory database that you can query directly to check your own dependencies against known issues. The whole project is a masterclass in building observability into security operations so the team knows *exactly* which fixes are pending and why.

Source: https://github.blog/security/supply-chain-security/inside-the-advisory-database-and-what-happens-when-vulnerability-volume-breaks-records/
Also see: https://resources.github.com/software-development/innersource/, https://github.com/snyk/advisor