Data provider-independent vulnerability management in Versio.io
Review of the termination of MITRE funding by the US government
- The recent actions of the US government under Donald Trump, in particular the cut
in funding for the MITRE Corporation, jeopardize the long-term stability of one of
the world's leading databases for IT security vulnerabilities. As a result of the
worldwide protest, the US government has now pledged funding for a further year.
- Versio.io relies on a generic, internally developed model for managing vulnerabilities
(Common Vulnerabilities and Exposures, CVEs) and at the same time offers the flexible
integration of a wide variety of data sources - including public vulnerability databases
and vendor-specific security advisories. Thanks to this approach, Versio.io is independent
of individual institutions, centralized data sources and possible political influences.
- The discontinuation of the publication of new vulnerabilities by MITRE would be a
loss of information for customers and manufacturers of software solutions in the IT
security sector, which is very likely to be absorbed promptly by new organizational
units (e.g. European Vulnerability Database of the European Union).
- The US government's decision has once again raised global awareness of the importance
of vulnerability databases. Versio.io assumes that the trend towards decentralized,
distributed data storage will continue - combined with higher availability and improved
content quality of the vulnerability information provided.
What has the US government decided?
On April 16, 2025, the US government under President Donald Trump announced that it
would stop funding the MITRE Corporation.
The MITRE Corporation is a non-profit organization in the United States that conducts
research and development work on behalf of the government. It operates Federally Funded
Research and Development Centers (FFRDCs) to address complex challenges in areas such
as cybersecurity, defense, healthcare and aerospace.
One of its central tasks is to clearly identify IT vulnerabilities, assign them standardized
identifiers (IDs) and document them systematically.
The US government's decision has unsettled many Versio.io customers with regard to
integrated vulnerability management. We would therefore like to provide clarity in
this article and explain our position on this topic. First of all: there is no need
to worry, but things will change and Versio.io is well positioned for this!
What is the general impact of the US government's decision?
IT vulnerability information is essential because it enables organizations to identify
and close known vulnerabilities early - before they can be exploited. It creates transparency,
promotes standardized responses to security risks and supports automated protection
processes in companies worldwide.
Without the central coordination and assignment of CVE IDs by MITRE, the internationally
established system for classifying vulnerabilities would fall apart. There would be
inconsistencies, duplicate assignments or missing references - with serious consequences
for cooperation between software manufacturers, security companies and authorities.
The speed of response to threats would also suffer considerably.
What does this mean for Versio.io customers?
Versio.io provides its customers with over 600,000 pieces of up-to-date information
on IT security vulnerabilities from a variety of data sources every day. This means
that the IT landscapes and technologies inventoried by Versio.io can be specifically
checked for known vulnerabilities.
For internal processing, Versio.io uses a generic model for managing vulnerability
information. This allows both general data sources for IT security vulnerabilities
(CVE) and vendor-specific security advisories to be centrally recorded and evaluated.
The following table shows the currently connected data sources, which are updated
daily and made available to our customers:
-
|
Data source
|
Number of vulnerabilities
|
| National Vulnerability Database (MITRE/NIST) |
289.742 |
| GitHub Advisory Database |
273.868 |
| Red Hat Security Advisory |
38.716 |
| Juniper Security Advisory (JSA) |
1.132 |
| Palo Alto Networks Security Advisories |
434 |
Table: Data sources integrated in Versio.io for IT security vulnerabilities and advisories
(as of 16.04.2025)
The end of MITRE's funding could mean that no new information on identified IT vulnerabilities
and no updates on previously published vulnerabilities will be provided. We can compensate
for this potential gap in Versio.io with vulnerability information providers already
integrated or to be integrated in the future.
The following further integrations of vulnerability databases are planned on the Versio.io
product roadmap
- European Vulnerability Database (EUVD) of the European Union: https://euvd.enisa.europa.eu
- Open Source Vulnerabilities (OSV): https://osv.dev
- VDE Cert for OT/IoT: https://www.vde.com/topics-de/digital-security/cert-vde
The Versio.io team sees the debate triggered by the US government's decision as
a great opportunity to strengthen digital resilience by building distributed vulnerability
databases and to sustainably improve the quality of vulnerability information. In
particular, the reliability of MITRE and the NIST database in terms of time and content
has been increasingly criticized in recent months. to compensate for the possible
failure of the US National Vulnerability Database (NVD).
With the beta version of the European Vulnerability Database (EUVD) published in
April 2025, the European Union Agency for Cybersecurity (ENISA) has already taken
an important step to compensate for the possible failure of the US National Vulnerability
Database (NVD).
Author
Matthias Scholze
Chief Technology Officer
P: +49-30-221986-51
