Newly published research reveals that China has been manipulating critical vulnerability data, and then backdating CVEs to hide the evidence
Recorded Future reckons this manipulation reveals more than it conceals, and the Chinese state has allowed a supposedly public service organisation with a ‘transparency mandate’ to be run by an intelligence agency with a secrecy one. Priscilla Moriuchi, director of strategic threat development at Recorded Future and one of the authors of the report, told SC Media UK that “the CNNVD data manipulation and the influence of the MSS on the vulnerability reporting process is the clearest example to date of why an intelligence service should not manage public vulnerability notification” continuing that such a large-scale manipulation of vulnerability data “undermines trust and could compromise security operations relying solely on CNNVD for that information.”
Why does this not surprise me as much as the size of the window between becoming aware of a critical vulnerability and actually informing the world about it? The US is just as bad as China in that regard, and anyway we already know that the Americans stockpile zero-days and critical vulnerabilities for offensive use.
A shorter threat window would be great but is easier to achieve in theory than practice to be fair. Manipulating CVE dates to make them appear to have been issued long before they actually were, and to sync those manipulated dates with the US ones is a whole different bag of bad though.
Can you explain in laymans terms why it is so difficult to pass on critical vulnerability warnings as soon as they have been verified? Thanks. Mac.