Why does China spot security vulnerabilities quicker than the US?

Hackers could have a head start on researching exploits that US firms have not yet caught wind of

In a world of state-sponsored hackers, highly motivated cybercrime gangs and determined hacktivists, mitigating software vulnerabilities is an essential part of the job for IT security teams. Many look to authoritative centralised sources to help manage their risk exposure, like the US government’s National Vulnerability Database (NVD). However, new research has found that bugs appear far quicker in the Chinese equivalent: the CNNVD.

This not only means Chinese firms could theoretically make themselves more resilient to attack quicker than their Western counterparts, but it could actively give hackers a head start on researching exploits that US firms may not yet have caught wind of. Given the huge resources Washington ploughs into offensive cyber-operations, it’s surely not much to ask that it gets more proactive about helping organisations’ vulnerability management efforts.



Recorded Future analysed 17,940 vulnerabilities between September 2015 and 2017, examining how many days after the initial public disclosure they appeared in the NVD and CNNVD. It found an average delay of 38 days for NVD, versus just 13 days for CNNVD. In fact, the CNNVD captures 90% of all vulnerabilities within 18 days, while the NVD takes 92 – an even bigger gap.

The explanation appears to lie with how the two databases are managed and operate. The NVD is managed by the Security Testing, Validation and Measurement Group of the Information Technology Laboratory of the National Institute of Standards and Technology (NIST). However, it only includes CVEs (vulnerabilities) once they have been published in the CVE Dictionary run by the non-profit MITRE Corporation. MITRE is responsible for managing the entire CVE process, including the selection and management of CVE Numbering Authorities (CNAs). Major software developers like Oracle and Microsoft are CNAs. They typically disclose info about a vulnerability, its potential impact, any affected products and available patches in a security bulletin on their website. However, at this point the process breaks down as they don’t automatically then update the MITRE CVE Dictionary. As Recorded Future explains:

To continue reading this article register now