China’s Dual Vulnerability Databases Expose Conflicting Disclosure Timelines

In 2026, cybersecurity experts scrutinize global vulnerability databases amid concerns about Western systems such as CVE and NVD. China’s parallel databases, CNVD and CNNVD, reveal stark differences in disclosure practices, timelines, and data quality compared to international standards.​

Dual Databases and Strict Policies

China operates two distinct national vulnerability databases: the Chinese National Vulnerability Database (CNVD),

managed by CNCERT for defensive warnings, and the China National Vulnerability Database of Information Security (CNNVD), run by CNITSEC under the Ministry of State Security to support broader security efforts. These systems mirror many CVEs but use unique IDs and lack cross-references.

A 2021 policy, the Regulation on the Management of Network Product Security Vulnerabilities (RMSV), mandates reporting flaws to the Ministry of Industry and Information Technology within 48 hours of discovery, bans the disclosure of pre-patch details or exploits, and prohibits exaggerating severity.

Access requires login and manual downloads of XML files, which often contain parsing errors from apparent manual entry.

Growth aligns closely with MITRE’s CVE list, but severity categories differ slightly from CVSS, with statistical variances noted.

CNVD includes submission and publication timestamps, showing 90% published within a week. At the same time, CNNVD features vulnerability types that are akin to, but distinct from, CWE.​

Conflicting Timelines and Early Disclosures

Analysis of CVEs since 2011 shows Chinese databases publish most entries after or simultaneous with CVE/NVD, but 0.55% in CNNVD and 0.18% in CNVD precede them, totaling about 1,400 cases, often by months. CNNVD responds within a week 84% of the time, versus CNVD’s 27%. Examples include:​

Early Chinese entries skew toward lower severity, suggesting a later reliance on Western sources.

Typos in CVE fields (e.g., wrong dashes) and date mismatches indicate manual processes, complicating matches. Non-CVE entries dropped post-RMSV, especially in CNVD, possibly hiding domestic flaws or China-specific software risks.​

Severity distributions remain stable post-policy, but CNNVD improved completeness. Historically, CNNVD sometimes outpaced NVD (13 vs. 33 days average), with past data alterations noted for high-threat vulns.

According to Bitsight, these discrepancies highlight blind spots in global vulnerability tracking.

While CVE offers standardized, machine-readable data via CVSS, CWE, and CPE, China’s controlled approach prioritizes national security, potentially delaying global awareness.

Organizations should monitor non-Western databases for comprehensive risk management, especially amid CVE funding worries. Future NLP matching could link more entries, urging diversified intelligence sources.​

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post China’s Dual Vulnerability Databases Expose Conflicting Disclosure Timelines appeared first on Cyber Security News.