I strongly believe the JED and the VEL functions should be more tightly integrated. The VEL's usability and visibility would escalate incredibly with such a change, and adding the VEL as a "feature" OF the JED would allow both teams to have a greater positive impact on the joomla community as a whole.
Currently "vulnerability" information for extensions is not maintained where that extension is most prominently accessed. Instead vulnerability information is stored on the VEL, in a static like format with no connection to the JED listing.
Appending VEL information to a JED listing would mean that the extension has only one record within the Joomla.org family sites, and users would be able to review that extension’s past and current vulnerabilities within the context of the JED, where they most likely found the extension in the first place.
The VEL property is less functional than the JED. Searching, filtering, and ordering are all features that the JED has implemented well. Any record searching utility, like the VEL portrays itself to be, should have these features.
One major reason that the VEL is not part of the JED is because the VEL is able to then “track” non-JED distributed extensions. This is counter productive to the way Joomla has positioned itself to developers.
The community of Joomla decided many years ago to support developers who play by the community’s rules. The VEL is doing a disservice to very intentional decisions the community has made to support our community by tracking non-JED extensions. Joomla.org property sites should not be inconsistent.
The Joomla Install from Web feature, although controversial, is a huge move forward for our community. Yet that feature is less useful, and detrimental to the image and brand of Joomla if it has poorly maintained, but one-click-install accessible extensions on it. Having an extension’s VEL history log within the record would increase usefulness and functionality to install from web users considerably.
Because the VEL has relatively low visibility in comparison to the JED, extension searches on search engines like Google don’t contain VEL information. Extension developers with security vulnerabilities are not held responsible because of this low visibility. By allowing quick and easy access to VEL information from a JED listing page, extension developers will be encouraged to react more quickly, and code more responsibly with security in mind.
Maintaining a Joomla site is a huge amount of effort for any team. Updating extensions, updating Joomla, etc… all require a ton of effort. By removing the VEL, the joomla community allows the VEL team to be more productive with managing VEL information, and spend less time on website maintenance.
I do not understand why you are so determined that this is a good idea. What purpose would a 'timeline' of past vulnerabilities serve? If an extension has a lot of fixes what would that signify? That the developer has been conscientous and reported all the necessary fixes and therefore it should be trusted? Or that it is a bad extension, because the developer has had to issue many fixes to his/her appalling code? Or simply that it is a popular extension, so many people have looked at the code and spotted vulnerabilities?
I do not think that it answers a question that many users would actually ask. I suspect what JED users are mostly interested in is whether the current version has known vulnerabilities, not what has happened with past versions. That they ought to be able to tell by whether or not the extension is currently published in the JED. There I do think that you have a point, there sometimes could be better communication between the JED and VEL, so that currently vulnerable extensions are more quickly unpublished, and also that updated extensions are more rapidly re-published. But I do not think that this requires merging of the two teams, just better channels of communication.
The other thing that users probably want to know is whether the extensions they have installed on their site are listed on the VEL. We are actively working on a simple VEL API which can be used to answer that question.
I do not think that merging the VEL with the JED would increase its visibility, I suspect that rather the reverse would happen, given that the VEL is quite a small and specialist team, it could well disappear from view altogether.
As far as the monitoring of non-JED extensions is concerned, the VEL does not exist to support either JED or non-JED developers, but to provide an independent service to users of the extensions. In order to accomplish this we believe that it is right to list any extension which might be in use on a Joomla site, including non-JED extensions, and also sometimes template frameworks, which would never be listed in the JED. We do not provide any kind of advertising for the extensions covered, so I do not see why you think that tracking them is somehow providing a service to the developer - it is not. In fact there are quite a few developers who would probably rather that the VEL ignored them.