Submissions to China's National Vulnerability Database (CNNVD) are being used by the country's Ministry of State Security (MSS), which is able to vet submissions before they are published. The organisation post-dates the submissions in a bid to conceal the activity.
The vetting process enables China's security services to cherry-pick the best flaws for use in cyber espionage, both at home and abroad.
That's according to security firm Recorded Future, which made the claims today in a new report, and comes as China seeks to stop Chinese security researchers from disclosing their work outside the country.
"While conducting that research, we discovered that China had a process for evaluating whether high-threat vulnerabilities had operational utility in intelligence operations before publishing them to the CNNVD.
"In revisiting that analysis, we discovered that CNNVD had altered their initial vulnerability publication dates in what we assess is an attempt to cover up that evaluation process," claimed the organisation.
It claims that CNNVD altered the original publication dates in its database for "at least" 2,267 vulnerabilities identified by Recorded Future as statistical outliers in research into the organisation published in November.
"We assessed in November that CNNVD had a formal vulnerability evaluation process in which high-threat CVEs were evaluated for their operational utility by the MSS before publication, and that the publication lag was one way to identify vulnerabilities that the MSS was likely considering for use in offensive cyber operations. CNNVD's outright manipulation of these dates implicitly confirmed this assessment," claims the organisation.
It added: "By retroactively changing the original publication dates on these statistical outliers, CNNVD attempted to hide the evidence of this evaluation process, obfuscate which vulnerabilities the MSS may be utilizing, and limit the methods researchers can use to anticipate Chinese APT behaviour."
In its research, it found that while CNNVD generally publishes disclosed vulnerabilities faster than its US equivalent, the US National Vulnerability Database, by 33 days to 13, for a number of the most serious vulnerabilities it can take much longer. And, in a bid to hide a suspected evaluation process, it postdates submissions in a bid to conceal its activity.
"This process meant that CNNVD would delay public notification, patching, and remediation guidance so the MSS could assess whether a vulnerability would be useful in their intelligence operations," claimed Recorded Future.
It added: "This systemic retroactive alteration of original publication dates by CNNVD is an attempt to hide the evidence of this process, obfuscate which vulnerabilities the MSS may be utilizing, and limit the methods researchers can use to anticipate Chinese APT behaviour.
However, this practice will almost certainly end up putting Chinese organisations at risk, with information about the most serious security flaws being published first elsewhere.
"This data manipulation reinforces the dominance of the secrecy mandate over transparency in China. Instead of taking steps to remove the undue influence of secrecy and the intelligence services over vulnerability reporting, CNNVD has gone the opposite way and sought instead to further conceal that influence," the report concludes.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance