Red Tape and Red Flags: Inside China’s Secretive Vulnerability Watchdogs

When a software flaw is discovered, the world’s security experts typically turn to international databases for answers. But in China, a parallel universe of government-run vulnerability trackers is rewriting the rules - and keeping the world guessing. As global reliance on standardized threat intelligence grows, China’s dual approach raises questions about transparency, timing, and national priorities in cybersecurity.

China’s two-pronged system - the Chinese National Vulnerability Database (CNVD) and the China National Vulnerability Database of Information Security (CNNVD) - is a study in contrasts. While both mirror the Western CVE system, they operate under strict government oversight and follow distinct rules. CNVD, managed by CNCERT, focuses on defensive warnings, while CNNVD, under China’s Ministry of State Security, supports broader intelligence goals.

Unlike the open, machine-readable formats of the U.S.-based CVE and NVD, China’s databases require user logins and manual downloads. The XML files are riddled with inconsistencies, typos, and parsing errors - clear evidence of hand-entered data. Their unique identifiers and lack of cross-references further complicate global tracking efforts.

Policy is at the heart of China’s approach. The 2021 Regulation on the Management of Network Product Security Vulnerabilities (RMSV) mandates near-immediate reporting to authorities and strictly prohibits the publication of details or exploits before official patches. This not only delays public awareness but can obscure the true risk landscape for anyone outside China’s firewall.

Despite these hurdles, Chinese databases grow in lockstep with MITRE’s CVE list, but their timelines tell a different story. In a small but significant number of cases, Chinese disclosures actually beat Western databases to the punch - sometimes by months. However, these early entries tend to be lower in severity, implying that China may still rely on Western sources for the most critical flaws.

After the 2021 policy shift, both CNVD and CNNVD reduced listings for non-CVE vulnerabilities, especially those tied to domestic products. This selective transparency could mean hidden risks for global organizations using China-specific software. Meanwhile, historical evidence shows CNNVD has altered past entries for high-threat vulnerabilities, raising further questions about data integrity and political motivations.

With CVE funding under scrutiny and global digital interdependence deepening, security professionals are urged to monitor non-Western sources. The fragmented nature of China’s reporting not only challenges international threat intelligence but also underscores the need for diversified, multilingual security monitoring. As automated tools evolve, bridging these gaps will be essential for staying ahead of adversaries - regardless of which side of the firewall they operate from.

In the shadowy world of vulnerability disclosure, China’s dual databases are both a mirror and a mask - reflecting some of the world’s threats while hiding others. For those tasked with defending global networks, the message is clear: trust, but verify, and never look in just one direction.

WIKICROOK

• CVE: CVE, or Common Vulnerabilities and Exposures, is a system for uniquely identifying and tracking publicly known cybersecurity flaws in software and hardware.
• CNVD: CNVD is China’s official database for information security vulnerabilities, managed by CNCERT, focusing on vulnerability reporting, analysis, and coordinated defense.
• CNNVD: CNNVD is China’s official vulnerability database, managed by the Ministry of State Security, cataloging software and hardware security issues.
• CVSS: CVSS (Common Vulnerability Scoring System) is a standard method for rating the severity of security flaws, with scores from 0.0 to 10.0.
• CWE: CWE is a standardized system for classifying software and hardware security weaknesses, aiding in vulnerability identification and risk management.