We're looking into where business risk data is actually hidden.
Bitsight analysts examined how China is building its own vulnerability reporting system amid turbulence surrounding Western CVE and NVD infrastructure . This was prompted by disruptions in the US National Vulnerability Database and temporary uncertainty over funding for the CVE program, which prompted the market to take a closer look at alternative data sources.
The focus was on two government databases: the China National Vulnerability Database of Information Security, better known as CNNVD, and the Chinese National Vulnerability Database, or CNVD. The former is overseen by a body within the Ministry of State Security, while the latter is managed by the Chinese Computer Emergency Response Team (CNCERT). The databases operate in parallel, use their own identifiers, and are populated differently.
Analysis revealed that most entries in the Chinese directories duplicate data from CVE. Both databases have fields for CVE identifiers, but they do not synchronize records with each other. Furthermore, the databases contain typos and format inconsistencies, indicating manual data processing and complicating automated matching. Aggregating data from NVD and CVE remains the foundation of most commercial vulnerability management tools.
The difference in publication times was of interest. In the vast majority of cases, flaw information appears in the Chinese databases on the same day or later than in the CVEs. However, approximately 1,400 entries were published in the CNNVD and CNVD before the corresponding CVEs were publicly listed. On average, the gap was approximately three months. This echoes long-standing concerns about how China uses vulnerability information obtained from foreign partners. Examples include vulnerabilities in Siemens products, Kubernetes, SAP, and WordPress plugins, where the Chinese descriptions essentially matched those later appearing in the international catalog.
The study's authors also discovered records without CVE affiliations. Some of these were likely never matched with international identifiers due to inaccuracies. In other cases, these may be issues in products with limited presence in Western markets. After the Vulnerability Management Regulation came into effect in July 2021, the pace of publishing such records changed. CNVD significantly reduced the frequency of disclosures of flaws without international identifiers, while CNNVD had reduced their publication even earlier, but increased activity again in 2025.
A separate analysis of the severity distribution showed that, when published earlier, Chinese databases more often classified vulnerabilities as low or unspecified severity. This indirectly indicates a dependence on Western ratings and methodologies like CVSS , as their own scale was not always fully populated.
In general, Chinese catalogs have historically followed the CVE and largely replicated its structure, but new regulations have strengthened government oversight over information disclosure. Despite all the problems of the Western ecosystem, standardized mechanisms, including CVE and NVD, remain more mature in terms of machine readability and unification. However, an analysis of Chinese databases shows that some risk data may emerge outside of traditional channels, meaning the global vulnerability landscape is broader than commonly believed.
Bitsight analysts examined how China is building its own vulnerability reporting system amid turbulence surrounding Western CVE and NVD infrastructure . This was prompted by disruptions in the US National Vulnerability Database and temporary uncertainty over funding for the CVE program, which prompted the market to take a closer look at alternative data sources.
The focus was on two government databases: the China National Vulnerability Database of Information Security, better known as CNNVD, and the Chinese National Vulnerability Database, or CNVD. The former is overseen by a body within the Ministry of State Security, while the latter is managed by the Chinese Computer Emergency Response Team (CNCERT). The databases operate in parallel, use their own identifiers, and are populated differently.
Analysis revealed that most entries in the Chinese directories duplicate data from CVE. Both databases have fields for CVE identifiers, but they do not synchronize records with each other. Furthermore, the databases contain typos and format inconsistencies, indicating manual data processing and complicating automated matching. Aggregating data from NVD and CVE remains the foundation of most commercial vulnerability management tools.
The difference in publication times was of interest. In the vast majority of cases, flaw information appears in the Chinese databases on the same day or later than in the CVEs. However, approximately 1,400 entries were published in the CNNVD and CNVD before the corresponding CVEs were publicly listed. On average, the gap was approximately three months. This echoes long-standing concerns about how China uses vulnerability information obtained from foreign partners. Examples include vulnerabilities in Siemens products, Kubernetes, SAP, and WordPress plugins, where the Chinese descriptions essentially matched those later appearing in the international catalog.
The study's authors also discovered records without CVE affiliations. Some of these were likely never matched with international identifiers due to inaccuracies. In other cases, these may be issues in products with limited presence in Western markets. After the Vulnerability Management Regulation came into effect in July 2021, the pace of publishing such records changed. CNVD significantly reduced the frequency of disclosures of flaws without international identifiers, while CNNVD had reduced their publication even earlier, but increased activity again in 2025.
A separate analysis of the severity distribution showed that, when published earlier, Chinese databases more often classified vulnerabilities as low or unspecified severity. This indirectly indicates a dependence on Western ratings and methodologies like CVSS , as their own scale was not always fully populated.
In general, Chinese catalogs have historically followed the CVE and largely replicated its structure, but new regulations have strengthened government oversight over information disclosure. Despite all the problems of the Western ecosystem, standardized mechanisms, including CVE and NVD, remain more mature in terms of machine readability and unification. However, an analysis of Chinese databases shows that some risk data may emerge outside of traditional channels, meaning the global vulnerability landscape is broader than commonly believed.
