China has constructed an extensive vulnerability collection system that enables its intelligence services and military units to access software flaws for offensive cyber operations, according to a comprehensive analysis of the country’s cybersecurity infrastructure.
The system, implemented through 2021 regulations, fundamentally reshapes how software vulnerabilities flow from discovery to potential weaponization.
Mandatory Reporting Creates an Intelligence Pipeline
The Cyberspace Administration of China (CAC), the Ministry of Public Security (MPS), and the Ministry of Industry and Information Technology (MIIT) established the “Regulations on the Management of Network Product Security Vulnerabilities” (RMSV) in July 2021, requiring companies to report software vulnerabilities within 48 hours of their discovery.
This mandate creates a direct pipeline from private sector vulnerability research to China’s intelligence apparatus.
The regulations prohibit researchers from publishing vulnerability information before patches are available, releasing proof-of-concept exploit code, or exaggerating vulnerability severity without coordinating with product owners and MIIT.
This effectively channels all vulnerability reports through government databases before they are publicly disclosed.
The MIIT’s new Cybersecurity Threat and Vulnerability Information Sharing Platform (NVDB) serves as the central collection point, featuring five specialized databases covering network devices, industrial control systems, government-used Chinese technology, internet-connected vehicles, and mobile applications.
The system shares data with the National Computer Network Emergency Response Technical Team (CNCERT/CC) and the Ministry of Public Security.
Intelligence Services Access Vulnerability Arsenal
Perhaps most concerning is the direct access provided to China’s Ministry of State Security (MSS) through multiple pathways.
The China National Vulnerability Database (CNVD) distributes vulnerability data to “Technology Collaboration Organizations” that include the Beijing office of MSS’s 13th Bureau, known PLA contractors like Beijing TopSec (linked to the Anthem Insurance hack), and research centers conducting “APT attack and defense” research.
The MSS-operated China National Vulnerability Database of Information Security (CNNVD) maintains 151 private cybersecurity companies as “technical support units” that employ at least 1,190 vulnerability researchers.
These researchers provide a minimum of 1,955 software vulnerabilities annually to the MSS, with at least 141 classified as critical severity.
Weaponization Evidence and Impact
Statistical analysis previously revealed that the MSS likely withheld high-criticality vulnerabilities from public disclosure for offensive operations.
Microsoft’s 2022 Digital Defense Report noted an uptick in zero-day deployments by Chinese hacking groups, explicitly attributing this increase to the RMSV as a “likely” result.
The system has dramatically reduced public vulnerability disclosure.
Industrial control systems vulnerabilities published through CNVD dropped from hundreds annually before 2021 to just ten in 2022, while the US recorded 113 exploited ICS vulnerabilities that same year.
This disparity suggests vulnerabilities are being collected but not shared with defenders, consistent with offensive stockpiling practices.
