The MITRE CVE (Common Vulnerabilities and Exposures) database contains a list of known vulnerability affecting software products identified by CPE (Common Platform Enumeration), usually at the granularity of software releases. Software development however happens at a finer granularity, that of code commits. The goal of this project is to devise heuristics for mapping known CVEs to the intermediate development version of open source software products, at the granularity of commits. To that end we will use existing open databases of known vulnerabilities as well as the Software Heritage archive of public code development.