From Hobbyists to State Pipeline: China Centralizes Vulnerability Research and Bans Foreign Hacking Contests

Over the past two decades, China’s vulnerability research industry has evolved from a disorganized network of enthusiasts into a highly structured ecosystem deeply intertwined with state interests. In the early 2000s, it was a fragmented scene built on free databases and low-cost exploits; by the mid-2010s, however, it had transformed into a cohesive system comprising commercial platforms, corporate research centers, and independent experts who actively participated in global competitions and bug bounty programs targeting Western software. Today, this field functions as part of China’s strategic infrastructure — a coordinated “pipeline” in which researchers, government agencies, and private contractors collectively contribute to the discovery and management of software vulnerabilities.

As Chinese teams began dominating international competitions, state authorities tightened their control. In 2018, participants from China were prohibited from competing in foreign hacking tournaments without government approval and were required to report all discovered vulnerabilities to “public and information security authorities.” Domestic competitions soon emerged in their place, with results frequently funneled to the Ministry of State Security (MSS) and the Ministry of Public Security (MPS). In 2021, the “Regulations on the Management of Network Product Security Vulnerabilities” mandated that companies notify the Ministry of Industry and Information Technology (MIIT) of any discovered flaws within 48 hours. Microsoft later warned that such policies could allow government bodies to accumulate undisclosed vulnerabilities for potential use in cyber operations.

In practice, state control remains partial. Researchers often delay disclosures or trade vulnerabilities on unofficial markets. Even after the high-profile 2021 incident in which an Alibaba engineer reported the critical Log4Shell flaw, compliance with the rules has been inconsistent. To incentivize cooperation, the state employs both pressure and reward systems. The China National Vulnerability Database (CNNVD) — managed by the Ministry of State Security — compensates researchers for their discoveries and issues certifications that bolster their professional standing and open doors to lucrative government contracts. As a result, membership in CNNVD’s Technical Support Units (TSU) continues to grow, making voluntary submission of vulnerability data increasingly profitable.

Alongside official channels, an informal web of connections has taken shape — linking researchers, contractors, and private companies working on behalf of the state. One prominent example is Sichuan Silence, whose employees were implicated in U.S. investigations into attacks targeting Sophos products. Similar patterns can be observed between the Pangu and i-SOON teams: the former is known for iOS exploits and operates under the Qi An Xin corporation, while the latter has been associated with state-linked threat groups RedHotel and Aquatic Panda. The 2024 i-SOON document leaks revealed that both entities maintained direct communication and exchanged discovered vulnerabilities, including those suitable for intelligence and investigative use.

The state continues to expand this “pipeline,” recruiting colleges and technical institutes while major companies implement multi-tiered talent development programs. For instance, Butian, a platform owned by Qi An Xin, launched a six-level training initiative called “White Hat: The Path of the Master,” combining theoretical instruction, practical exercises, and a system of professional rewards. At the same time, focus within Chinese vulnerability research has gradually shifted from foreign targets to domestic software. While competitions such as Tianfu Cup from 2018 to 2022 primarily targeted Western applications, the 2023 edition introduced a larger prize pool for Chinese systems, and in 2024, the newly established Matrix Cup featured separate domestic categories with total rewards exceeding $2.75 million — surpassing even Canada’s Pwn2Own.

However, transparency around such contests is declining. Tianfu Cup was not held in 2024, and Matrix Cup withheld detailed exploit disclosures. Meanwhile, Chinese companies have gained access to confidential vulnerability data from the Microsoft Active Protections Program (MAPP), which shares early information about upcoming patches with trusted partners. Of 104 MAPP participants, 13 are based in China, prompting concerns over potential data leaks. According to Bloomberg, Microsoft curtailed their participation in August 2025 amid growing security fears.

China’s modern vulnerability research ecosystem has thus evolved from a loose collective of hobbyists into a centralized, state-aligned network—an intricate fusion of bureaucracy, financial incentives, and patriotic motivation. Professionals now receive structured training through corporate programs, while the government exerts control over both the flow and destination of information. Yet many researchers continue to submit vulnerability reports to Western companies, carefully navigating the delicate balance between personal profit, scientific recognition, and national security interests.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy