Fixing Vulnerability Data Quality Requires Fixing the Architecture First

The root cause of poor vulnerability data lies in systems that were never built to capture, manage, and evolve security assertions. Manion’s MVVE proposal reveals that a fixed checklist cannot reconcile disparate feeds; instead, repositories need a shared vocabulary and a design that treats each data point as an independent, verifiable claim. By focusing on architecture first, the community can avoid the endless cycle of patching inconsistent formats with ad‑hoc fixes.

Practically, the fallout is evident in the National Vulnerability Database, where more than half of vendor names in CPE entries are inconsistent, undermining automated tooling and risk scoring. Over‑emphasis on CVSS or CWE counts creates a metric‑driven incentive structure that rewards quantity over accuracy, leading analysts to chase scores rather than contextual risk. This distortion erodes trust and forces security teams to spend valuable time reconciling contradictory records.

The path forward requires establishing core principles: every assertion must be simple, observable, and carry provenance; records must be mutable to reflect evolving knowledge; and governance must enforce shared standards before any new specification is drafted. By embedding these requirements into the architecture of vulnerability repositories, the industry can produce data that is both machine‑usable and trustworthy, ultimately enabling faster, more precise remediation decisions.