> One could imagine a cross-distribution project that gathered the same
> kind of information as the Debian security bug tracker, but in a more
> distribution-independent fashion.
Of course that already exists in a way, in the CVE vulnerability database.
> Each distribution could have a tool that processed that data, correlated
> it to its package names and versions, and then reported on what it found.
This remains the hard part. Starting with the package name, which is fairly free-form in CVE. And then the version, which is more so, especially when distributions may carry patches to the upstream version that affect security. There's something called CPE that might eventually allow automatic package name mapping, but does not seem to be broadly used in CVE entries yet.
It seems unlikely that an automated tool could be accurate enough to work without people doing work behind the scenes. Which is how Debian's security tracker works.
The funny thing about Debian's tracker is that it started out as a nearly free-form text file, in which I took the current list of all CVEs, and started making notes. Soon I had numerous helpers also updating the file, and the ad-hoc formats used for the notes became conventions, which then became formalized and parsed. It's still just a big (145k lines) text file.
The key features that have kept it going this long seem to be that it works well with version control and so the work is easily parallelized amoung contributors; it allows quickly checking through CVE entries to find ones that are relevant; it ensures that everything gets looked at without much chance of a vulnerability falling thru the cracks.
Still, it's salt mines work. I'm continually amazed it's been updated for 9 years solid.