Kristin Del Rosso

Is CNVD ≥ CVE? A Look at Chinese Vulnerability Discovery and Disclosure

The US is still lagging behind China in terms of vulnerability discovery and disclosure. While the gap between the US National Vulnerability Database (NVD) and the Chinese NVD (CNNVD) has slightly shrunk over the last 5 years, there are still hundreds of vulnerabilities registered in China that are yet to be listed on the US NVD.

Furthermore, the CNNVD is a known subsidiary of the Chinese Ministry of State Security’s Technical Bureau, the China Information Technical Security Evaluation Center (CNITSEC). The MSS drives Chinese cyber espionage, and its strong foothold in the vulnerability sourcing ecosystem with a history of altering CVE disclosure dates and providing APT groups with exploits further highlights the need to close the gap between US and Chinese CVE disclosure for improved proactive defense.

This talk will walk through the discovery of a CNVD that is not listed on the US NVD, and the larger picture behind the discovery and disclosure of vulnerabilities in China. This will cover how and where they are sourced, including a newly discovered sourcing event, the scope of disparity between US and Chinese vulnerability reporting, and how researchers can proactively hunt to close this knowledge gap between US and Chinese CVEs.

Kristin Del Rosso works at Sophos as a product manager focusing on Incident Response, Threat Intelligence, and the SecOps ecosystem.

Previously, she was an analyst on Lookout Mobile Security’s Threat Intelligence team, with a focus on reversing Android surveillanceware, and tracking threat actors and their infrastructure. She enjoys threat hunting and learning about new forms of security research, and in her spare time can be found practicing Jiu Jitsu or making pasta from scratch.