CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs

China’s Parallel CVE Systems Expose Alternate Vulnerability Disclosure Timeline - gbhackers.com

gbhackers.com Archived Mar 18, 2026 ✓ Full text saved

China’s Parallel CVE Systems Expose Alternate Vulnerability Disclosure Timeline gbhackers.com

Full text archived locally
✦ AI Summary · Claude Sonnet


    China’s Parallel CVE Systems Expose Alternate Vulnerability Disclosure Timeline cyber securityCyber Security NewsVulnerability 3 min.Read China’s Parallel CVE Systems Expose Alternate Vulnerability Disclosure Timeline By Mayura Kathir February 19, 2026 Share Facebook Twitter Pinterest WhatsApp Beyond CVE, China’s dual vulnerability databases, CNVD and CNNVD, show that vulnerability disclosure is not a single, global, unified process but a set of parallel systems with different rules, incentives, and timelines. China runs two national vulnerability databases: CNNVD, operated under the Ministry of State Security, and CNVD, operated by CNCERT as a defender‑focused coordination platform. While both catalog software and hardware flaws use their own IDs, schemas, and categorizations instead of fully adopting Western standards such as CWE and CPE. CNNVD closely shadows CVE and NVD and historically has contained slightly more entries than US‑maintained datasets over certain time ranges, while CNVD is smaller and more uneven in its coverage. Both systems include a CVE field, but they do not systematically cross‑reference each other, which complicates correlation and automation work for defenders. China also regulates vulnerability handling via the “Provisions on the Management of Network Product Security Vulnerabilities” issued in July 2021 and in force since September 2021. The regulation forces vendors and operators to report vulnerabilities to authorities, patch them promptly, and retain logs, while imposing conditions on public disclosure. Both CNNVD and CNVD require account creation, email verification, and logins to access data.  Logins for CNNVD and CNVD (Source : BITSIGHT). It explicitly restricts publishing exploit code, forbids exaggerating severity, and requires coordination with state agencies, a sharp contrast to the more voluntary, researcher‑led disclosure norms common around CVE and NVD. China’s Parallel CVE Systems While XML is not my preferred document based data format, it can be parsed like any other. However, errors in the entries in both databases mean that simply asking your favorite XML engine to parse the data. Growth of CNVD and CNNVD from earliest publication date (Source : BITSIGHT). Studies comparing the databases show that CNNVD has only a relatively small subset of entries without a CVE mapping, on the order of ten thousand out of well over a hundred thousand total vulnerabilities. Where CVE and NVD provide richer structured data CVSS, CWE, and more mature affected‑product modeling the Chinese databases tend to provide simpler categorical severity and free‑text descriptions. Under the surface, however, a small but important set of vulnerabilities appears in CNNVD and CNVD well before they are recorded as published in CVE or NVD, sometimes by several months. There are two other structured and easily analyzable fields in CNVD: the open and submission times. These are, presumably, when the vulnerability was first submitted to the database and when it was finally published. Arcs of delays between open and submission times when the delay is more than a week (Source : BITSIGHT). In a few cases, researchers have identified Chinese entries that either never gained a corresponding public CVE or that relate to products and vendors with little presence in Western markets, suggesting that some exposures tracked in China remain under‑represented in Western datasets. These quality problems, combined with manual web‑based exports modern APIs, make large‑scale ingestion and correlation harder than with NVD, even when the underlying vulnerability set is similar.​ What 2026 Might Look Like The 2021 Chinese regulations have influenced what gets published and when, especially around entries that lack CVE mappings. At the same time, hygiene issues are visible on the Chinese side as well. Analyses report malformed or mismatched CVE identifiers, inconsistent dates, and missing or misaligned severity scores in CNVD and CNNVD feeds. Severity of vulnerabilities relative to their publication time(Source : BITSIGHT). Researchers have observed shifts in the rate at which non‑CVE vulnerabilities are exposed in CNVD and CNNVD around and after the policy date, with some evidence that CNNVD in particular slowed publication of non‑mapped vulnerabilities for a period before increasing output again more recently. This pattern is consistent with a tightening of state control over what vulnerability information becomes public, and when, rather than a purely organic evolution of a community‑driven database. For defenders and analysts heading into 2026, the lesson is twofold. First, relying solely on CVE and NVD risks missing context, timing differences, and region‑specific exposures that show up first or only in foreign national databases such as CNNVD and CNVD. Second, despite recent strains on the NVD and the CVE program standardized , Western infrastructure still offers more machine‑readable, and transparent data than what is officially exposed from China, especially around CVSS, CWE, and derived frameworks like KEV lists and probabilistic exploit scoring. In a world of competing disclosure regimes, the real advantage goes to teams that can fuse these disparate feeds, normalize their quirks, and reason about the gaps between them. Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google. TagsCYBER SECURITYCYBER SECURITY NEWSVULNERABILITY Mayura Kathir https://gbhackers.com/ Mayura Kathir is a cybersecurity reporter at GBHackers News, covering daily incidents including data breaches, malware attacks, cybercrime, vulnerabilities, zero-day exploits, and more. Hot this week Infosec- Resources How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities SOC Architecture How to Build and Run a Security Operations Center (SOC Guide) – 2023 Cyber Security News Network Penetration Testing Checklist – 2025 Cyber Security News Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component Checklist Web Server Penetration Testing Checklist – 2026 Topics AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareAntispoofingANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramMore Press Release Orchid Security Recognized by Gartner® as a Representative Vendor of Guardian Agents Press Release GitGuardian Reports an 81% Surge of AI-Service Leaks as 29M Secrets Hit Public GitHub cyber security Iranian Hackers Use Compromised Cameras for Regional Surveillance Bluetooth Windows 11 25H2/24H2 Update Addresses Bluetooth Device Visibility Issues cyber security Google Warns Ransomware Groups Shift to Data Theft as Profits Decline Cyber Security News Microsoft Launches AI-Driven Troubleshooting for Purview Data Lifecycle Tools CVE/vulnerability Angular XSS Vulnerability Threatens Thousands of Web Applications cyber security Glassworm Malware Infects Popular React Native npm Packages Related Articles Iranian Hackers Use Compromised Cameras for Regional Surveillance Cyber Security March 17, 2026 Windows 11 25H2/24H2 Update Addresses Bluetooth Device Visibility Issues Bluetooth March 17, 2026 Google Warns Ransomware Groups Shift to Data Theft as Profits Decline Cyber Security March 17, 2026 Microsoft Launches AI-Driven Troubleshooting for Purview Data Lifecycle Tools Cyber Security News March 17, 2026 Angular XSS Vulnerability Threatens Thousands of Web Applications CVE/Vulnerability March 17, 2026 Recent News Orchid Security Recognized by Gartner® as a Representative Vendor of Guardian Agents CyberNewswire - March 17, 2026 GitGuardian Reports an 81% Surge of AI-Service Leaks as 29M Secrets Hit Public GitHub CyberNewswire - March 17, 2026 Iranian Hackers Use Compromised Cameras for Regional Surveillance Mayura Kathir - March 17, 2026 Windows 11 25H2/24H2 Update Addresses Bluetooth Device Visibility Issues Divya - March 17, 2026 Google Warns Ransomware Groups Shift to Data Theft as Profits Decline Mayura Kathir - March 17, 2026 Microsoft Launches AI-Driven Troubleshooting for Purview Data Lifecycle Tools Divya - March 17, 2026
    💬 Team Notes
    Article Info
    Source
    gbhackers.com
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Archived
    Mar 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗