portaudit and vuxml

I really like portaudit, a FreeBSD app that you can install to notify you when vulnerabilities appear in your installed ports. It pulls down a database of vulnerabilities (much ClamAV does or other virus scanners pull down virus signatures) and compares that to the versions of the packages you have installed.

The vulnerabilities identified by portaudit via vuxml is built by volunteer submission, so users submit patches to /usr/ports/security/vuxml/vuln.xml to describe newly-discovered vulnerabilities. So I consider this a negative in a way since vulnerabilities are frequently falling through the cracks. Can port-maintainers be held responsible for updating vuxml when their ports are listed? I think this would be a reasonable compromise.

Otherwise we need a delegation of responsibilities to ensure vulns DON'T fall through the cracks. Perhaps a team of volunteers who focus on CVEs, non-CVEs (e.g. SecurityFocus or FrSIRT but not CVE-listed) and strictly vendor identified vulns would be able to provide better coverage.

There's also the learning curve of generating vuxml entries, which I describe here. The process is a bit cumbersome and could use some help, so I've begun working on a "wizard" HTML form for vuxml submission (Note:non-functioning as of yet) which could make this a little easier esp. for newbies.

I'd also love to see portaudit ported to Linux distros (both RPM and DEB) as it should be fairly easy to do.