Data provider-independent vulnerability management in Versio.io

 

Short version

• The recent actions of the US government under Donald Trump, in particular the cut in funding for the MITRE Corporation, jeopardize the long-term stability of one of the world's leading databases for IT security vulnerabilities. As a result of the worldwide protest, the US government has now pledged funding for a further year.
• Versio.io relies on a generic, internally developed model for managing vulnerabilities (Common Vulnerabilities and Exposures, CVEs) and at the same time offers the flexible integration of a wide variety of data sources - including public vulnerability databases and vendor-specific security advisories. Thanks to this approach, Versio.io is independent of individual institutions, centralized data sources and possible political influences.
• The discontinuation of the publication of new vulnerabilities by MITRE would be a loss of information for customers and manufacturers of software solutions in the IT security sector, which is very likely to be absorbed promptly by new organizational units (e.g. European Vulnerability Database of the European Union).
• The US government's decision has once again raised global awareness of the importance of vulnerability databases. Versio.io assumes that the trend towards decentralized, distributed data storage will continue - combined with higher availability and improved content quality of the vulnerability information provided.

 

What has the US government decided?

On April 16, 2025, the US government under President Donald Trump announced that it would stop funding the MITRE Corporation.

The MITRE Corporation is a non-profit organization in the United States that conducts research and development work on behalf of the government. It operates Federally Funded Research and Development Centers (FFRDCs) to address complex challenges in areas such as cybersecurity, defense, healthcare and aerospace. One of its central tasks is to clearly identify IT vulnerabilities, assign them standardized identifiers (IDs) and document them systematically.

The US government's decision has unsettled many Versio.io customers with regard to integrated vulnerability management. We would therefore like to provide clarity in this article and explain our position on this topic. First of all: there is no need to worry, but things will change and Versio.io is well positioned for this!

 

What is the general impact of the US government's decision?

IT vulnerability information is essential because it enables organizations to identify and close known vulnerabilities early - before they can be exploited. It creates transparency, promotes standardized responses to security risks and supports automated protection processes in companies worldwide.

Without the central coordination and assignment of CVE IDs by MITRE, the internationally established system for classifying vulnerabilities would fall apart. There would be inconsistencies, duplicate assignments or missing references - with serious consequences for cooperation between software manufacturers, security companies and authorities. The speed of response to threats would also suffer considerably.

 

What does this mean for Versio.io customers?

Versio.io provides its customers with over 600,000 pieces of up-to-date information on IT security vulnerabilities from a variety of data sources every day. This means that the IT landscapes and technologies inventoried by Versio.io can be specifically checked for known vulnerabilities.

For internal processing, Versio.io uses a generic model for managing vulnerability information. This allows both general data sources for IT security vulnerabilities (CVE) and vendor-specific security advisories to be centrally recorded and evaluated. The following table shows the currently connected data sources, which are updated daily and made available to our customers:

 

Table: Data sources integrated in Versio.io for IT security vulnerabilities and advisories (as of 16.04.2025)

 

The end of MITRE's funding could mean that no new information on identified IT vulnerabilities and no updates on previously published vulnerabilities will be provided. We can compensate for this potential gap in Versio.io with vulnerability information providers already integrated or to be integrated in the future.

The following further integrations of vulnerability databases are planned on the Versio.io product roadmap

• European Vulnerability Database (EUVD) of the European Union: https://euvd.enisa.europa.eu
• Open Source Vulnerabilities (OSV): https://osv.dev
• VDE Cert for OT/IoT: https://www.vde.com/topics-de/digital-security/cert-vde

The Versio.io team sees the debate triggered by the US government's decision as a great opportunity to strengthen digital resilience by building distributed vulnerability databases and to sustainably improve the quality of vulnerability information. In particular, the reliability of MITRE and the NIST database in terms of time and content has been increasingly criticized in recent months. to compensate for the possible failure of the US National Vulnerability Database (NVD).

With the beta version of the European Vulnerability Database (EUVD) published in April 2025, the European Union Agency for Cybersecurity (ENISA) has already taken an important step to compensate for the possible failure of the US National Vulnerability Database (NVD).

 

References

 

 

Keywords

Vulnerability

 

MITRE

 

NIST

 

US

 

Government