Uncovering the Differences: U.S. vs. China Vulnerability Databases
Nov 12, 2024
ENTRYZERO
In cybersecurity, national vulnerability databases are pivotal in cataloging and assessing software vulnerabilities. Two prominent databases are the U.S. National Vulnerability Database (NVD) and China’s National Vulnerability Database (CNNVD). Current industry practices often recommend utilizing Common Vulnerability Scoring System (CVSS) scores and severity ratings to prioritize actions such as patch management. This underlines the relevance of the reliability and consistency of the “ground truth” of these severity ratings. This blog is a comparative analysis of the severity assigned to 143,065 vulnerabilities by NVD and CNNVD from 2019 to October 2024. Our key question is: How do both databases differ in their vulnerability severity ratings? The results reveal notable discrepancies, underscoring the importance of understanding these differences for global cybersecurity strategies.
Comparative Analysis of Vulnerability Numbers and Publication Dates
NVD and CNNVD categorize vulnerabilities into four severity levels: ‘‘Low’’, ‘‘Medium’’, ‘‘High’’, and ‘‘Critical’’. These ratings guide organizations in prioritizing their security responses. For our analysis, we have considered vulnerabilities reported from 2019 to October 2024 as depicted in the table below.
| Database | Total Vulnerabilities | Total Critical Vulnerabilities |
|---|---|---|
| NVD | 141,386 | 20,231 |
| CNNVD | 143,065 | 18,349 |
The results show that both databases have cataloged a similar number of vulnerabilities over six years. Examining critical vulnerabilities reveals that the NVD has identified a slightly higher count than the CNNVD. This examination also highlights a general upward trend in critical vulnerabilities over time. The latter is illustrated in the figure below.
Analyzing the publication timelines of NVD and CNNVD discloses significant differences in their publishing speeds:
| Publishing Entity | Number of Vulnerabilities Published Earlier |
|---|---|
| NVD over CNNVD | 31,876 |
| CNNVD over NVD | 658 |
| Same Publication Date | 108,931 |
The table above indicates that NVD has been more proactive in publishing vulnerability information ahead of CNNVD. Various factors, including differences in disclosure policies, resource allocation, and national security considerations, may influence this discrepancy. Understanding these dynamics is crucial for organizations to develop comprehensive and timely vulnerability management strategies.
Comparative Analysis of Vulnerability Severity
The following graphic presents a cross-tabulation of severity ratings between NVD and CNNVD over the specified period. In our data, the vulnerabilities for which severity ratings were unavailable were categorized as ‘‘None’’. One point of note is that while NVD assigns a score in addition to the severity rating (CVSS), CNNVD does not provide an equivalent scoring system:
Key Observations
Alignment in Severity Ratings: Many vulnerabilities have matching severity ratings in both databases, particularly in the ‘‘Medium’’ and ‘‘High’’ categories. For instance, 57,863 vulnerabilities are classified as ‘‘Medium’’ by NVD and CNNVD, and 49,026 as ‘‘High’’.
Discrepancies in Critical Ratings: 2,474 vulnerabilities are rated as ‘‘Critical’’ by NVD while CNNVD rates them lower. On the other side, 663 vulnerabilities are rated as ‘‘Critical’ by CNNVD while NVD rates them lower. This accounts for almost 3,000+ differences in vulnerability ratings in the higher end of the spectrum.
Variations in Low Ratings: 498 vulnerabilities are rated as ‘‘Low’’ by NVD while CNNVD rates them higher. On the other side, 530 vulnerabilities are rated as ‘‘Low’ by CNNVD while NVD rates them higher. This accounts for almost 1,000+ differences in vulnerability ratings in the lower end of the spectrum.
Missing Vulnerability Ratings: 3,829 vulnerabilities have missing ratings in NVD in the last 6 years while 992 vulnerabilities have missing ratings in CNNVD. This leads to different assessment by different stakeholders of the corresponding vulnerabilities. Given that many workflows and prioritization actions rely on these databases, this questions the reliability and consistency of this “ground truth”.
It’s Time to Prioritize Beyond Severity Ratings!
In addition to the high volume and upward trend of critically rated vulnerabilities — and the fact that these account for only 37.4% of exploited vulnerabilities according to the EPSS Study — the discrepancies between NVD and CNNVD severity ratings underscore key limitations of relying solely on these for patch prioritization. As suggested in recent studies Time to Change the CVSS, Software Vulnerability Exploitability Assessment, the (technical) severity rating model lacks sufficient environmental and contextual factors to assess risk accurately (e.g., threat intelligence and asset criticality). These limitations emphasize the need for more nuanced, context-sensitive approaches like the Stakeholder-Specific Vulnerability Categorization (SSVC). SSVC proposes a decision tree model that allows for customized prioritization based on threat landscape and organization’s specific needs. We are developing a new model, trained on over 100,000 vulnerabilities and threat intelligence, providing a more flexible and risk-aware approach to vulnerability patch prioritization. Stay tuned for more updates as we refine this model and share our findings.
