Do we have a vulnerability-contributing commit on record?
A vulnerability-contributing commit is a commit that we believe is the origin of a vulnerability in source control. If a vulnerability has this tag, then we have found at least one VCC for it.
We use a modified version of the SZZ algorithm using the archeogit built by Nuthan Munaiah to identify VCCs. In short, this algorithm uses git blame
functionality to trace individual lines of code back to their origins. Curators are asked to verify if the VCCs are valid, so these have manual curations as well.