LABScon Replay | Is CNVD ≥ CVE? A Look at Chinese Vulnerability Discovery and Disclosure

The US is still lagging behind China in terms of vulnerability discovery and disclosure. While the gap between the US National Vulnerability Database (NVD) and the Chinese NVD (CNNVD) has slightly shrunk over the last 5 years, there are still hundreds of vulnerabilities registered in China that are yet to be listed on the US NVD. The CNNVD is a known subsidiary of the Chinese Ministry of State Security’s Technical Bureau, which drives Chinese cyber espionage, and has a history of altering CVE disclosure dates and providing APT groups with exploits.

This talk walks through the discovery of a CNVD that is not listed on the US NVD, and the larger picture behind the discovery and disclosure of vulnerabilities in China. Kristin covers how and where they are sourced, including a newly discovered sourcing event, the scope of disparity between US and Chinese vulnerability reporting, and how researchers can proactively hunt to close this knowledge gap between US and Chinese CVEs.

Kristin Del Rosso works at Sophos as a product manager focusing on Incident Response, Threat Intelligence, and the SecOps ecosystem.

Previously, she was an analyst on Lookout Mobile Security’s Threat Intelligence team, focusing on reversing Android surveillance ware, and tracking threat actors and their infrastructure.

About LABScon

This presentation was featured live at LABScon 2022, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.