Open armijnhemel opened 2 years ago
did a quick look of the CNVD and found this introduction page: https://www.cnvd.org.cn/webinfo/list?type=7 The google translate did a good job, I think
Introduction to CNVD
The China National Vulnerability Database (CNVD for short) is jointly organized by the National Computer Network Emergency Technology Handling Coordination Center (National Internet Emergency Response Center in Chinese, CNCERT in English). A national network security vulnerability database established by security vendors, software vendors and Internet companies.
The main goal of establishing CNVD is to jointly establish a unified collection and verification, early warning release and emergency response system for software security vulnerabilities with national government departments, important information system users, operators, major security vendors, software vendors, scientific research institutions, and public Internet users. Improve my country's overall research level and timely prevention ability in terms of security vulnerabilities, thereby improving the security of my country's information systems and domestic software, and driving the development of domestic related security products.
CNVD Vulnerability Handling Strategy
Frequently Asked Questions about this Policy
Q: What is the process for handling vulnerabilities?
A: After the abnormal information (called "abnormal information" before it is confirmed as a vulnerability) is reported, if the abnormal phenomenon can be reproduced, CNCERT/CC will organize the CNVD support unit to conduct vulnerability analysis and verification. After verifying and confirming the vulnerability information, it will negotiate the release time with relevant manufacturers, and selectively release the vulnerability information according to the vulnerability release strategy.
Q: How do information system users report vulnerability information?
A: Vulnerability information can be reported to CNCERT/CC via website or email. The email address is: vreport@cert.org.cn. In view of the sensitivity of vulnerability information, it is recommended to use PGP key encryption when reporting vulnerability information (download address: https://www.cert.org.cn/cnvd.asc , Fingerprint: 2749 3320 B75A 1AEA 8E52 B1BD 7FF7 EB2C 8D8A 398C ). If you have any questions, you can also directly call the hotline 010-82990999. more>>
Internet Society of China Vulnerability Information Disclosure and Disposal Self-discipline Convention
Article 1 In accordance with the basic policy of "seeking advantages and avoiding disadvantages, effective management, and active guidance", in order to protect the Internet security rights and interests of the country, enterprises and the public in accordance with the law, ensure the information system security of the government and important information system departments, and further regulate domestic and foreign vulnerability platforms , relevant manufacturers, information system administrators, and the National Computer Network Emergency Technology Handling Coordination Center (hereinafter referred to as CNCERT) in the reception, disposal and release of vulnerability information, to formulate this Convention.
Article 2 Security loopholes (hereinafter referred to as loopholes) as mentioned in this Convention refer to the defects and deficiencies existing in the design and implementation of hardware, software and communication protocols or in the system security strategy of information systems; illegal users can exploit security loopholes to obtain Additional permissions for information systems.
the CVE is identified in each of the component detail page For instance, https://www.cnvd.org.cn/flaw/show/CNVD-2022-28466
the CVE is identified in each of the component detail page For instance, https://www.cnvd.org.cn/flaw/show/CNVD-2022-28466
Extracting CNVD number and linking it with an existing CVE would already be useful I think (as Chinese users might prefer to go to CNVD instead of CVE).
The really interesting case would of course be if there is anything in CNVD that is not (yet) in CVE. Also, if CNVD has any interesting information that CVE or NVD doesn't have that would be valuable information.
There is also the closely related but different CNNVD https://en.wikipedia.org/wiki/Chinese_National_Vulnerability_Database
The China National Vulnerability Database (CNVD) is possibly a good source of security information: https://www.cnvd.org.cn/