Jump to content

Chinese National Vulnerability Database

From Wikipedia, the free encyclopedia
China National Vulnerability Database
国家信息安全漏洞库
Agency overview
Formed18 October 2009; 15 years ago (2009-10-18)
TypeCybersecurity Agency
JurisdictionMainland China
HeadquartersBuilding 1, No. 8 Courtyard, Shangdi West Road, Haidian District, 100085 Beijing, China
EmployeesClassified
Annual budgetClassified
Parent departmentMinistry of State Security
Websitewww.cnnvd.org.cn Edit this at Wikidata

The Chinese National Vulnerability Database (CNNVD) is one of two national vulnerability databases of the People's Republic of China. It is operated by the China Information Technology Security Evaluation Center (CNITSEC), the 13th Bureau of China's foreign intelligence service, the Ministry of State Security (MSS).[1][2] As of September 28, 2020, the database has 117,454 vulnerabilities cataloged with the first entry dated January 1, 2010.[3]

Organization

[edit]

The organization is operated by the China Technology Evaluation Center (中国信息安全测评中心; Zhōngguó Xìnxī Ānquán Cèpíng Zhōngxīn, known in English as CNITSEC), which is a subsidiary office of the MSS, making the organization closely linked to the Chinese intelligence apparatus.[4] According to its official website, CNNVD performs "analysis and information communication of security vulnerabilities of information technology products and systems; security risk assessment of information networks and important information systems of party and government organs; safety testing and evaluation of information technology products, systems and engineering construction; competency assessments and qualification reviews for information security services and professionals; theoretical research, technology research and development and the development of standards"[5]

The agency has been criticized as a trojan horse manipulated by Chinese intelligence in order to take advantage of vulnerabilities in order to wage cyberwarfare against foreign targets.

According to Boston based cybersecurity firm Recorded Future, the MSS evaluates all submitted vulnerabilities before releasing them in order to determine if they can be used for the purposes of cyber-espionage; according to researchers this was demonstrated through extensive backdating of vulnerabilities.[6]

References

[edit]
  1. ^ "国家信息安全漏洞共享平台". www.cnvd.org.cn. Retrieved 2020-09-29.
  2. ^ Sass, Rami (2019-01-16). "Not all National Vulnerability Databases are created equal". IT Pro Portal. Retrieved 2019-06-03.
  3. ^ "国家信息安全漏洞共享平台". archive.vn. 2020-09-29. Archived from the original on 2020-09-29. Retrieved 2020-09-29.
  4. ^ "China's Ministry of State Security Likely Influences National Network Vulnerability Publications". www.recordedfuture.com. Retrieved 2022-08-14.
  5. ^ "国家信息安全漏洞库". www.cnnvd.org.cn. Retrieved 2022-08-14.
  6. ^ "China's national vulnerability database is merely a tool for its intelligence agencies". CyberScoop. 2018-03-09. Retrieved 2022-08-14.
[edit]