The global cybersecurity landscape has been complicated by the emergence of a distinct vulnerability disclosure ecosystem within China. Unlike the internationally recognized Common Vulnerabilities and Exposures (CVE) system, China operates two separate databases, the China National Vulnerability Database (CNVD) and the China National Vulnerability Information Database (CNNVD). These databases exhibit different disclosure timelines and priorities, allowing newly discovered vulnerabilities to remain hidden from Western defenders for extended periods. This informational asymmetry enables threat actors to exploit security gaps in popular software, such as Microsoft OneDrive, before global patch cycles can react, a phenomenon referred to as “Red Vulns” or Chinese vulnerabilities.
This divergence in vulnerability disclosure timelines poses significant challenges for enterprise security teams who rely on timely intelligence to prioritize remediation efforts. When vulnerabilities are documented in Chinese databases months before appearing in the U.S. National Vulnerability Database (NVD), it creates a critical window of exposure where organizations are unaware of active threats. For instance, a Microsoft OneDrive DLL hijacking vulnerability was cataloged in Chinese systems long before a comparable CVE was fully documented internationally. This delay allows attackers to weaponize these vulnerabilities, bypassing standard detection protocols and establishing persistence on compromised networks.
China’s Dual Vulnerability Databases and Their Disclosure Impact
Bitsight analysts identified these discrepancies after conducting a comprehensive review of publication timestamps across both Chinese and international vulnerability ecosystems. Their research indicates that while the CNNVD largely mirrors the MITRE CVE list, the CNVD often maintains unique entries and operates with independent timelines. This suggests a strategic approach to vulnerability disclosure, where information is treated as a national security asset rather than a purely public good.
The growth of both the CNVD and CNNVD demonstrates a scaling of vulnerability tracking within China, seemingly to match global standards in volume. However, the critical finding is not merely the quantity of disclosed vulnerabilities, but the introduction of strategic latency in the disclosure process. This latency effectively masks the infection mechanisms of new exploits, leaving global defenders without the necessary Indicators of Compromise (IOCs) to detect early-stage attacks.
Strategic Disclosure Delays and Information Asymmetry
The most concerning aspect of this dual-database system is the systematic delay in releasing details of high-severity vulnerabilities to the broader public. This tactic effectively conceals the methods used in new exploits. The “arcs of delays” observed between the submission of a vulnerability and its public release reveal patterns where sensitive data is held back for extended periods. Furthermore, a significant percentage of CNVD entries do not immediately map to a corresponding CVE, creating a “shadow” inventory of security flaws.
The differing severity distributions across these databases further complicate risk assessment. Security teams must broaden their intelligence sources beyond the NVD to include these international databases to gain a more complete threat picture. The delay in disclosure means that organizations relying solely on universally recognized databases may remain vulnerable to exploits that have been publicly known and weaponized within certain regions for months. This creates a significant asymmetry in cybersecurity defenses, favoring attackers who have access to this delayed information.
The implications of this strategic disclosure delay extend to international compliance and incident response. When a global organization suffers a breach, understanding the timeline of vulnerability discovery and disclosure is crucial for effective forensics and mitigation. The existence of separate, staggered disclosure timelines complicates efforts to attribute attacks and assess the full scope of a compromise. Future research will likely focus on quantifying the exact impact of these disclosure gaps and developing more robust methods for integrating diverse vulnerability intelligence streams into existing security frameworks.