Amid worries about Western systems like CVE and NVD, cybersecurity experts examine global vulnerability databases in 2026 This article explores vulnerability databases china. . China's parallel databases, CNNVD and CNVD, show glaring discrepancies in disclosure procedures, timelines, and data quality when compared to international norms.

Strict Policies and Two Databases China has two different national vulnerability databases: the China National Vulnerability Database of Information Security (CNNVD), which is run by CNITSEC under the Ministry of State Security to support wider security efforts, and the Chinese National Vulnerability Database (CNVD), which is run by CNCERT for defensive warnings. Although these systems use distinct IDs and don't have cross-references, they mirror many CVEs.

The Regulation on the Management of Network Product Security Vulnerabilities (RMSV), a 2021 policy, forbids disclosing pre-patch details or exploits, prohibits exaggerating severity, and requires reporting vulnerabilities to the Ministry of Industry and Information Technology within 48 hours of discovery. Access necessitates logging in and downloading XML files by hand, which frequently have parsing errors due to what appears to be manual entry. CNNVD and CNVD logins (Source: bitsight) Growth closely resembles MITRE's CVE list, although there are statistical differences between the severity categories and CVSS.

90% of submissions are published within a week, according to CNVD, which also includes submission and publication timestamps. CNNVD, on the other hand, has vulnerability types that are similar to CWE but different.

Inconsistent Schedules and Early Disclosures Chinese databases publish the majority of CVE entries after or concurrently with CVE/NVD, according to an analysis of CVEs since 2011. However, 0.55% of CNNVD and 0.18% of CNVD entries come before them, for a total of roughly 1,400 cases, frequently by months. Compared to CNVD, which responds 27% of the time, CNNVD responds 84% of the time within a week.

Among the examples are: The severity of early Chinese entries tends to be lower, indicating a later reliance on Western sources. Date inconsistencies and typos in CVE fields (such as incorrect dashes) point to manual procedures that make matches more difficult. After RMSV, non-CVE entries decreased, particularly in CNVD, which might have concealed domestic defects or software risks unique to China. CNVD and CNNVD growth since the first publication date.

For comparison, use the MITRE CVE list.

Note that this includes all of the MITRE list's public CVEs, including those that are marked as REJECTED2 (Source: bitsight). CNNVD enhanced completeness, but severity distributions remained constant after the policy. CNNVD has historically occasionally outpaced NVD (13 vs. 33 days average), with historical data changes observed for high-threat vulnerabilities.

These disparities point to blind spots in global vulnerability tracking, claims Bitsight. Global awareness may be delayed by China's controlled approach, which puts national security first even though CVE provides standardized, machine-readable data via CVSS, CWE, and CPE. In light of concerns about CVE funding, organizations should keep an eye on non-Western databases for thorough risk management. More entries may be linked by future NLP matching, encouraging the use of a variety of intelligence sources.