Chinese National Vulnerability Database
The Chinese National Vulnerability Database (CNNVD) is one of two national vulnerability databases of the People's Republic of China. It is operated by the China Information Technology Security Evaluation Center (CNITSEC), the 13th Bureau of China's foreign intelligence service, the Ministry of State Security (MSS).[1][2] As of September 28, 2020, the database has 117,454 vulnerabilities cataloged with the first entry dated January 1, 2010.[3]
国家信息安全漏洞库 | |
Agency overview | |
---|---|
Formed | 18 October 2009 |
Type | Cybersecurity Agency |
Jurisdiction | Mainland China |
Headquarters | Building 1, No. 8 Courtyard, Shangdi West Road, Haidian District, 100085 Beijing, China |
Employees | Classified |
Annual budget | Classified |
Parent department | Ministry of State Security |
Website | www |
Organization
The organization is operated by the China Technology Evaluation Center (中国信息安全测评中心; Zhōngguó Xìnxī Ānquán Cèpíng Zhōngxīn, known in English as CNITSEC), which is a subsidiary office of the MSS, making the organization closely linked to the Chinese intelligence apparatus.[4] According to its official website, CNNVD performs "analysis and information communication of security vulnerabilities of information technology products and systems; security risk assessment of information networks and important information systems of party and government organs; safety testing and evaluation of information technology products, systems and engineering construction; competency assessments and qualification reviews for information security services and professionals; theoretical research, technology research and development and the development of standards"[5]
The agency has been criticized as a trojan horse manipulated by Chinese intelligence in order to take advantage of vulnerabilities in order to wage cyberwarfare against foreign targets.
According to Boston based cybersecurity firm Recorded Future, the MSS evaluates all submitted vulnerabilities before releasing them in order to determine if they can be used for the purposes of cyber-espionage; according to researchers this was demonstrated through extensive backdating of vulnerabilities.[6]
References
- "国家信息安全漏洞共享平台". www.cnvd.org.cn. Retrieved 2020-09-29.
- Sass, Rami (2019-01-16). "Not all National Vulnerability Databases are created equal". IT Pro Portal. Retrieved 2019-06-03.
- "国家信息安全漏洞共享平台". archive.vn. 2020-09-29. Archived from the original on 2020-09-29. Retrieved 2020-09-29.
- "China's Ministry of State Security Likely Influences National Network Vulnerability Publications". www.recordedfuture.com. Retrieved 2022-08-14.
- "国家信息安全漏洞库". www.cnnvd.org.cn. Retrieved 2022-08-14.
- "China's national vulnerability database is merely a tool for its intelligence agencies". CyberScoop. 2018-03-09. Retrieved 2022-08-14.