The Fracture of Truth: How China’s Secretive Databases Are Outpacing the Ailing CVE System

In the realm of information security, it has long been standard practice to categorize vulnerabilities via the CVE system: a breach is assigned a designation, followed by a CVSS severity score, a CWE type, and a list of impacted products, thereby allowing defenders to orchestrate their patching priorities. However, the years 2024 and 2025 have underscored the fragility of this apparatus when its fundamental nodes falter.

The initial tremor occurred in February 2024, when the National Vulnerability Database (NVD), maintained by NIST, suffered a significant degradation in performance. For decades, the NVD performed the thankless yet vital task of enriching CVE entries with essential metadata—CVSS scores, error classifications, and software CPEs. Faced with a burgeoning backlog, the NVD admitted to an inability to sustain its pace, prioritizing contemporary threats while leaving a vast “tail” of unprocessed records in its wake.

This was followed by an organizational upheaval. At VulnCon 2025, public discourse turned toward the precarious funding of the CVE program. A panic ensued when it was revealed that a critical Department of Homeland Security contract had neared expiration without renewal, sparking fears of a fragmented cataloging system. Although funding was eventually secured, the episode served as a sobering reminder that even the industry’s most venerable pillars possess inherent vulnerabilities.

Recently, researchers at Bitsight expanded the scope of this inquiry, examining sovereign vulnerability repositories beyond the Western sphere, specifically the dual databases of China: CNNVD and CNVD.

China operates two parallel state databases that function under distinct regulatory paradigms. While both utilize proprietary identifiers, they maintain cross-references to CVE numbers when available. However, because direct synchronization between CNVD and CNNVD is virtually non-existent, correlation must be meticulously performed through shared descriptions.

• CNNVD: Operated by CNITSEC, a center linked to the Ministry of State Security. Its publication cadence suggests a focus on international intelligence; it frequently serves as a mirror for global CVE disclosures, albeit filtered through Chinese regulatory mandates.

• CNVD: Governed by CNCERT, this repository aligns more closely with traditional defensive databases, focusing on identifying novel threats and assisting in the remediation of domestic infrastructure.

In July 2021, China implemented a stringent regulatory layer known as RMSV. This mandate redefined the cadence of disclosure, diverging sharply from Western “Coordinated Vulnerability Disclosure” (CVD) norms. RMSV requires that all discovered vulnerabilities be reported to the state within 48 hours. Technical details—and specifically Proof-of-Concept (PoC) code or exploits—are strictly prohibited from public release until a patch is available. This replaces the voluntary collaboration between researcher and vendor with a prescribed order that prioritizes state control over the tempo of disclosure.

Accessing this data remains an arduous task for automation. Both repositories lack robust APIs, requiring manual interface interactions to generate XML exports. These files are frequently marred by structural errors and typographical blunders—such as mangled CVE identifiers and erroneous date fields—which necessitate significant manual cleaning by analysts.

A temporal analysis reveals intriguing patterns. While approximately 90% of entries appear within a week of their initial acquisition, a minute fraction (roughly 0.55% for CNNVD and 0.18% for CNVD) precedes the official CVE or NVD publication. In these rare instances—numbering about 1,400 since 2011—the Chinese repositories lead by an average of three months.

Since the implementation of RMSV in 2021, the volume of vulnerabilities published without an associated CVE has shifted noticeably. CNVD has significantly slowed its publication of such entries, while CNNVD has shown a recent resurgence in non-CVE records. This suggests a complex interplay of factors: improved internal cross-referencing, the strategic withdrawal of certain vulnerabilities from the public eye under new regulations, or a focus on highly localized software that lacks international relevance.

Ultimately, the Chinese ecosystem highlights a global trend: the control of information regarding software flaws has become a critical instrument of state power.