Uncovering the Differences: U.S. vs. China Vulnerability Databases

Image cover for blog post.

Nov 12, 2024

Profile image of ENTRYZERO

ENTRYZERO

In cybersecurity, national vulnerability databases are pivotal in cataloging and assessing software vulnerabilities. Two prominent databases are the U.S. National Vulnerability Database (NVD) and China’s National Vulnerability Database (CNNVD). Current industry practices often recommend utilizing Common Vulnerability Scoring System (CVSS) scores and severity ratings to prioritize actions such as patch management. This underlines the relevance of the reliability and consistency of the “ground truth” of these severity ratings. This blog is a comparative analysis of the severity assigned to 143,065 vulnerabilities by NVD and CNNVD from 2019 to October 2024. Our key question is: How do both databases differ in their vulnerability severity ratings? The results reveal notable discrepancies, underscoring the importance of understanding these differences for global cybersecurity strategies.

Comparative Analysis of Vulnerability Numbers and Publication Dates

NVD and CNNVD categorize vulnerabilities into four severity levels: ‘‘Low’’, ‘‘Medium’’, ‘‘High’’, and ‘‘Critical’’. These ratings guide organizations in prioritizing their security responses. For our analysis, we have considered vulnerabilities reported from 2019 to October 2024 as depicted in the table below.

DatabaseTotal VulnerabilitiesTotal Critical Vulnerabilities
NVD141,38620,231
CNNVD143,06518,349

The results show that both databases have cataloged a similar number of vulnerabilities over six years. Examining critical vulnerabilities reveals that the NVD has identified a slightly higher count than the CNNVD. This examination also highlights a general upward trend in critical vulnerabilities over time. The latter is illustrated in the figure below.

Number Critical Vulnerabilities

Analyzing the publication timelines of NVD and CNNVD discloses significant differences in their publishing speeds:

Publishing EntityNumber of Vulnerabilities Published Earlier
NVD over CNNVD31,876
CNNVD over NVD658
Same Publication Date108,931

The table above indicates that NVD has been more proactive in publishing vulnerability information ahead of CNNVD. Various factors, including differences in disclosure policies, resource allocation, and national security considerations, may influence this discrepancy. Understanding these dynamics is crucial for organizations to develop comprehensive and timely vulnerability management strategies.

Comparative Analysis of Vulnerability Severity

The following graphic presents a cross-tabulation of severity ratings between NVD and CNNVD over the specified period. In our data, the vulnerabilities for which severity ratings were unavailable were categorized as ‘‘None’’. One point of note is that while NVD assigns a score in addition to the severity rating (CVSS), CNNVD does not provide an equivalent scoring system:

Vulnerability Severity Assignments

Key Observations

  1. Alignment in Severity Ratings: Many vulnerabilities have matching severity ratings in both databases, particularly in the ‘‘Medium’’ and ‘‘High’’ categories. For instance, 57,863 vulnerabilities are classified as ‘‘Medium’’ by NVD and CNNVD, and 49,026 as ‘‘High’’.

  2. Discrepancies in Critical Ratings: 2,474 vulnerabilities are rated as ‘‘Critical’’ by NVD while CNNVD rates them lower. On the other side, 663 vulnerabilities are rated as ‘‘Critical’ by CNNVD while NVD rates them lower. This accounts for almost 3,000+ differences in vulnerability ratings in the higher end of the spectrum.

  3. Variations in Low Ratings: 498 vulnerabilities are rated as ‘‘Low’’ by NVD while CNNVD rates them higher. On the other side, 530 vulnerabilities are rated as ‘‘Low’ by CNNVD while NVD rates them higher. This accounts for almost 1,000+ differences in vulnerability ratings in the lower end of the spectrum.

  4. Missing Vulnerability Ratings: 3,829 vulnerabilities have missing ratings in NVD in the last 6 years while 992 vulnerabilities have missing ratings in CNNVD. This leads to different assessment by different stakeholders of the corresponding vulnerabilities. Given that many workflows and prioritization actions rely on these databases, this questions the reliability and consistency of this “ground truth”.

It’s Time to Prioritize Beyond Severity Ratings!

In addition to the high volume and upward trend of critically rated vulnerabilities — and the fact that these account for only 37.4% of exploited vulnerabilities according to the EPSS Study — the discrepancies between NVD and CNNVD severity ratings underscore key limitations of relying solely on these for patch prioritization. As suggested in recent studies Time to Change the CVSS, Software Vulnerability Exploitability Assessment, the (technical) severity rating model lacks sufficient environmental and contextual factors to assess risk accurately (e.g., threat intelligence and asset criticality). These limitations emphasize the need for more nuanced, context-sensitive approaches like the Stakeholder-Specific Vulnerability Categorization (SSVC). SSVC proposes a decision tree model that allows for customized prioritization based on threat landscape and organization’s specific needs​. We are developing a new model, trained on over 100,000 vulnerabilities and threat intelligence, providing a more flexible and risk-aware approach to vulnerability patch prioritization. Stay tuned for more updates as we refine this model and share our findings.

All Rights Reserved by ENTRYZERO GmbH

Website by Sanico Software

IMPRINT: ENTRYZERO GmbH, Konrad-Zuse-Straße 18, 44801 Bochum, Registered Office: Bochum, Registration Court: Local Court Bochum, Registration number: HRB 21709, VAT ID: DE369315057, Managing Directors: Dr. Mohamad Sbeiti, Samet Gökbayrak, Tel.: +49 151 56561989, Email: info@entryzero.ai

PRIVACY POLICY: This website does not collect any personal data. We do not use cookies, trackers, forms or similar technologies. However, by visiting our website you agree that for every site request the following non-personal information is stored on the webserver for statistical, intrusion detection/prevention and troubleshooting purposes: requested address (URL), request date and time, client IP address, user-agent and referer. No information is given to or shared with third parties