- Vulnerability Databases: Is China's CNNVD Superior to the US NVD?
Vulnerability Databases: Is China's CNNVD Superior to the US NVD?
A global overview of vulnerability databases and disclosure practices
Did you know that approximately 80% of all published Common Vulnerabilities and Exposures (CVEs) are contributed by CNAs in the United States? In this blog post, we’ll break down why that is, how vulnerability disclosures differ in certain countries, and why the world can’t just get along 😢.
Table of Contents
The CVE Program Begins (1999)
The story starts in 1999 when the cybersecurity world was grappling with a major challenge: vulnerabilities were popping up left and right, but there was no standardized way to identify and manage them. That’s when MITRE stepped in and introduced the CVE program. The goal was simple yet revolutionary: create a universally recognized method for naming and categorizing these vulnerabilities. The CVE program wasn’t just a directory but the Rosetta Stone of cybersecurity, allowing different systems and software to speak the same language regarding security threats.
NVD: The Go-To Resource for Vulnerability Management
While the CVE program was busy cataloging vulnerabilities, there was still a need for a comprehensive database to track and analyze these issues. Enter the National Vulnerability Database (NVD). Launched by the National Institute of Standards and Technology (NIST), the NVD took the CVE entries and turned them into a rich resource, complete with severity scores, impact ratings, and analysis. Consider the NVD as the encyclopedia of vulnerabilities, where IT professionals, researchers, and security buffs could get the full scoop on each vulnerability.
Together, the CVE program and the NVD formed a dynamic duo, making it easier for organizations to stay informed, assess risks, and fortify their defenses against the ever-evolving landscape of cybersecurity threats.
Vulnerability Databases: A Global Overview
I only recently became aware that other nations had their own vulnerability databases. I mean, it makes perfect sense, but I never really cared to give it any thought. The following are a few I came across in my studies and felt were worth mentioning, excluding the US NVD, which was discussed above.
Japan Vulnerability Notes (JVN): Japan’s approach to cybersecurity is embodied in the JVN, a platform that offers detailed information about vulnerabilities and supports the secure configuration of products. It’s a collaborative effort between the Information-Technology Promotion Agency (IPA) and the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC).
China National Vulnerability Database (CNNVD): Managed by the Ministry of Industry and Information Technology, CNNVD is the official national database catalogs known vulnerabilities. It provides detailed information about each vulnerability, including descriptions, severity, impact, and recommended mitigation measures. CNNVD is widely recognized and serves as a comprehensive resource for the Chinese cybersecurity community.
China’s National Vulnerability Database of Information Security (CNVD): While similar in name to CNNVD, CNVD operates under the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC). CNVD is more focused on actively involving the community in reporting vulnerabilities and sharing information about vulnerabilities that impact Chinese cyberspace.
CERT-EU Vulnerability Database: Managed by the Computer Emergency Response Team for EU Institutions, Agencies, and Bodies (CERT-EU). It is a key resource for consolidating and communicating information about security vulnerabilities to EU entities. The database details each vulnerability, including its characteristics, potential impacts, and recommended mitigation strategies.
So, how do they compare? Well, the research paper Towards System Security: What a Comparison of National Vulnerability Databases Reveals sought to compare the National Vulnerability Database (NVD), the China National Vulnerability Database (CNVD), and the China National Vulnerability Database of Information Security (CNNVD) in 2022.
I felt the following table summarized the results best from the paper. But here are some bullet points:
The CNNVD has more entries than the NVD
9,963 advisories in the CNNVD were not included in the NVD
The CNVD had 23,281 advisories not included in the NVD
Over 10,000 advisories in the NVD were rejected, and almost all were excluded from the CNNVD; this is evidence that the CNNVD applies filtering to advisories from the NVD.
Legal Frameworks for Vulnerability Disclosure
The landscape of legal frameworks for vulnerability disclosure across the globe is as varied as the regions themselves.
In the United States, a combination of voluntary disclosure practices supplemented by sector-specific regulations, such as those in finance and healthcare, prevails, with the Vulnerability Equities Process guiding the government’s approach to handling vulnerabilities.
Across the Atlantic, the European Union enforces a more regulatory stance with directives like the Network and Information Systems (NIS) Directive and the GDPR, which, while not directly mandating vulnerability disclosures, require incident reporting that indirectly supports such disclosures.
The Asia-Pacific region presents a tapestry of approaches; Japan leans towards voluntary reporting and robust public-private partnerships, e.g., the JPCERT/CC Vulnerability Coordination and Disclosure Policy. On the other hand, China enforces strict government mandates via the Data Security Law of the People’s Republic of China for vulnerability disclosure, as evidenced by the operations of its national databases, CNNVD and CNVD.
Despite these efforts and the presence of international standards like ISO/IEC 29147:2018, the goal of a unified international vulnerability database is hampered by geopolitical divides, legal discrepancies, and technical challenges.
THIS IS HOW THEY TELL ME THE WORLD ENDS
It is a great book that touches on the geopolitical divide regarding vulnerability disclosures and, more specifically, the global market for zero-day vulnerabilities—currently, my favorite book on cybersecurity.
USA v. China: Brief Comparison / Opinion
In the US, the approach to cybersecurity and sharing info about system weaknesses is pretty open. For those submitted, the government uses a system where they weigh the pros and cons before deciding to share details about cybersecurity problems - this is the Vulnerability Equities Process. However, most vulnerabilities, at least those we know, are reported publicly via the CVE process or similar, such as GitHub Security Advisories. This method aims to help everyone beef up their defenses by being transparent about the risk.
Over in China, things are a lot tighter. The Chinese government has put strict rules in place via the Data Security Law of the People’s Republic of China, which says if you find a security issue, you’ve got to report it straight to them. There’s not much room for sharing with the wider community. This approach means the government keeps a tight grip on all the information about cybersecurity weaknesses. They decide what to do with that info, which can include patching things up quietly or using the knowledge to suit national interests.
These different styles show how the US and China view cybersecurity’s role in their global image and relations with other countries. The US is more about open sharing and collective defense, believing that transparency can lead to more robust security for everyone. Meanwhile, China focuses on control and oversight, ensuring that all knowledge of vulnerabilities is managed to align with government interests and policies. These approaches highlight both countries’ cybersecurity strategies and reflect their broader attitudes toward information control and international cooperation.