Historical CVEs against Python don't have a great way to represent the affected version ranges like OSV does, so providing the historical CVEs separately from actively issued advisories would help consumers detect whether they're running an affected Python version.
I'm currently working on vulnerability management, and I believe the vulnerability metadata in this repo will make our work easier :) If you have any work that needs help, whether manual or automated, could ping me.
These are required in order for our evaluation rules (examples). If the exact commit that introduces the bug is not known, "introduced": "0" can be used to express that all prior versions should be considered affected.