China’s Dual Vulnerability Databases Expose Conflicting Disclosure Timelines - cyberpress.org

China’s Dual Vulnerability Databases Expose Conflicting Disclosure Timelines By Varshini February 20, 2026 Categories: Cyber Security NewsVulnerabilities In 2026, cybersecurity experts scrutinize global vulnerability databases amid concerns about Western systems such as CVE and NVD. China’s parallel databases, CNVD and CNNVD, reveal stark differences in disclosure practices, timelines, and data quality compared to international standards.​ Dual Databases and Strict Policies China operates two distinct national vulnerability databases: the Chinese National Vulnerability Database (CNVD), managed by CNCERT for defensive warnings, and the China National Vulnerability Database of Information Security (CNNVD), run by CNITSEC under the Ministry of State Security to support broader security efforts. These systems mirror many CVEs but use unique IDs and lack cross-references. A 2021 policy, the Regulation on the Management of Network Product Security Vulnerabilities (RMSV), mandates reporting flaws to the Ministry of Industry and Information Technology within 48 hours of discovery, bans the disclosure of pre-patch details or exploits, and prohibits exaggerating severity. Access requires login and manual downloads of XML files, which often contain parsing errors from apparent manual entry. Logins for CNNVD and CNVD (Source: bitsight) Growth aligns closely with MITRE’s CVE list, but severity categories differ slightly from CVSS, with statistical variances noted. CNVD includes submission and publication timestamps, showing 90% published within a week. At the same time, CNNVD features vulnerability types that are akin to, but distinct from, CWE.​ Conflicting Timelines and Early Disclosures Analysis of CVEs since 2011 shows Chinese databases publish most entries after or simultaneous with CVE/NVD, but 0.55% in CNNVD and 0.18% in CNVD precede them, totaling about 1,400 cases, often by months. CNNVD responds within a week 84% of the time, versus CNVD’s 27%. Examples include:​ Early Chinese entries skew toward lower severity, suggesting a later reliance on Western sources. Typos in CVE fields (e.g., wrong dashes) and date mismatches indicate manual processes, complicating matches. Non-CVE entries dropped post-RMSV, especially in CNVD, possibly hiding domestic flaws or China-specific software risks.​ Growth of CNVD and CNNVD from earliest publication date. MITRE CVE list for comparison. Note this contains all public CVEs in the MITRE list including those marked as REJECTED2 (Source: bitsight) Severity distributions remain stable post-policy, but CNNVD improved completeness. Historically, CNNVD sometimes outpaced NVD (13 vs. 33 days average), with past data alterations noted for high-threat vulns. According to Bitsight, these discrepancies highlight blind spots in global vulnerability tracking. While CVE offers standardized, machine-readable data via CVSS, CWE, and CPE, China’s controlled approach prioritizes national security, potentially delaying global awareness. Organizations should monitor non-Western databases for comprehensive risk management, especially amid CVE funding worries. Future NLP matching could link more entries, urging diversified intelligence sources.​ Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp Varshini Recent Articles Windows 11 25H2/24H2 Update Fixes Bluetooth Visibility Problems Cyber Security News March 17, 2026 Microsoft Introduces AI-Powered Troubleshooting for Purview Data Lifecycle Management Cyber Security News March 17, 2026 Attackers Exploit Safe Links To Hide Phishing URLs Behind Rewriting Chains Cyber Security News March 17, 2026 Payload Ransomware Uses Babuk-Inspired Encryption In Attacks On Windows and ESXi Cyber Security News March 17, 2026 PylangGhost RAT Spread Through Malicious npm Packages In New Campaign Cyber Security News March 17, 2026 Related Stories Cyber Security News Windows 11 25H2/24H2 Update Fixes Bluetooth Visibility Problems AnuPriya - March 17, 2026 Cyber Security News Microsoft Introduces AI-Powered Troubleshooting for Purview Data Lifecycle Management AnuPriya - March 17, 2026 Cyber Security News Attackers Exploit Safe Links To Hide Phishing URLs Behind Rewriting Chains Varshini - March 17, 2026 Cyber Security News Payload Ransomware Uses Babuk-Inspired Encryption In Attacks On Windows and ESXi Varshini - March 17, 2026 Cyber Security News PylangGhost RAT Spread Through Malicious npm Packages In New Campaign Varshini - March 17, 2026 Cyber Security News Phishers Abuse LiveChat Tools To Steal Sensitive Data In SaaS-Based Attacks Varshini - March 17, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: