The format has served us well, but it could stand to be improved in ways that will help users better choose what checks to run. Some ideas:

1. Provide a simplified interface to vulns library, probably a "vuln" key that holds a vuln table as described there.
2. Support logical AND of matches, perhaps by making the matches.match element optionally be a table.
3. Recategorize. Existing categories are mostly descriptive of the finding, not of the action: printer, security, database, general. Would prefer categories like our NSE categories: discovery, vuln, exploit, dos.
4. Add a way to filter fingerprints based on service detected. This is imperfect, but could be used to support a "fast mode" that doesn't run unlikely checks
5. Support a more full description of the fingerprint that could be printed in a postrule or used with a substring search to select/filter fingerprints. Keeping primary output 1-line makes sense given the number of potential findings here, but some things would benefit from further description.

Related to 3. above, it'd be nice if http-enum could know what script categories were requested and run the appropriate categories based on that, but there's not currently an API for that.