Data Indicates China Delays Reporting Security Flaws Useful in Attacks | eWeek

Data Shows China Likely Delaying Vulnerability Reports to Help Attacks

security flaws
Written By
Robert Lemos
Robert Lemos
Nov 17, 2017
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

China intelligence officials are likely delaying the release of information on high-severity vulnerabilities to evaluate the security flaws for operational utility and to benefit the nation’s online espionage efforts, according to an analysis of vulnerability disclosure trends and timing conducted by Recorded Future, a threat- and information-analysis firm.

In a report published on Nov. 16, Recorded Future showed that, while the Chinese National Vulnerability Database (CNNVD) is much faster at documenting vulnerabilities than the U.S. National Vulnerability Database (NVD), the Chinese are noticeably slower to report vulnerabilities that have been used in popular exploit kits and that hold the promise of being useful in attacks.

As a result, while the U.S. NVD reports details of high-severity vulnerabilities faster than low-severity ones, the Chinese database published information on low-severity vulnerabilities faster than that of higher severity.


The analysis strongly suggests that China has a vulnerability evaluation process that slows the release of information for possibly exploitable vulnerabilities, Priscilla Moriuchi, director of strategic threat development for Recorded Future, told eWEEK.

We “saw substantial lag there, which overlapped with possible Chinese intelligence operational use,” she said. “And all of this combined led us to the conclusion that China has their own vulnerability evaluated process, where high-threat vulnerabilities are evaluated by intelligence groups for their operational utility.”

The report comes as the United States evaluates its own process of striking a balance between disclosing vulnerabilities to harden information systems against attack and withholding information on vulnerabilities to be used to investigate criminals’ systems and attack rogue online actors. The Trump administration has vowed to be more transparent in its efforts to strike a balance, known as the Vulnerability Equities Process, and to increase accountability.

“The challenge is to find and sustain the capability to hold rogue cyber actors at risk without increasing the likelihood that known vulnerabilities will be exploited to harm legitimate, law-abiding users of cyberspace,” Rob Joyce, the White House Cybersecurity Coordinator, wrote in a statement on Nov. 15.

“Vulnerability management requires sophisticated engagement to ensure protection of our people, the safeguarding of critical infrastructure, and the defense of important commercial and national security interests.”

China seems to skew its own process toward keeping secret any vulnerabilities that could be used for an attack. China took 57 days to release details of the vulnerability exploited in the WannaCry attack by North Korean state-sponsored actors, for example, when the U.S. released details after a single day. The entry in the CNNVD also has much less detail, according to Recorded Future.

In another case, China’s CNNVD took 236 days longer to publish details on a pair of critical vulnerabilities in software for the Android mobile operating system, which essentially constituted a preinstalled back door in many phones.

Finally, in at least three cases, the CNNVD significantly delayed publishing details of the most critical vulnerability disclosed as part of multi-vulnerability advisories—such as Microsoft’s Patch Tuesday disclosures.

“China does not talk about their vulnerability evaluation process,” Moriuchi said, “where the U.S. is trying to make their process more transparent and protect the public to a greater extent.”

Recorded Future did note, however, that—on the whole—the Chinese National Vulnerability Database published details of vulnerabilities in each category of severity more quickly than its U.S. counterpart.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.