Make America late again: US 'lags' China in IT security bug reporting

Mind the gap

The US is starting to fall well behind China in terms of the speed at which organizations are alerted to reported security vulnerabilities, according to a study out this week by threat intel biz Recorded Future.

The US government's National Vulnerability Database (NVD) lags China’s National Vulnerability Database (CNNVD) in average time between bug reports submitted to the database and the report being included in the centralized database – 33 days versus 13 days, respectively. In other words, companies and other organizations in China subscribing to the CNNVD are warned of a hole potentially within their systems in 13 days, on average, after details of the flaw are filed, versus 33 days for those following NVD.

China's CNNVD isn’t involved in managing the disclosure of vulnerabilities globally, unlike the US's NVD, but it has been able to overcome this potential disadvantage to push out warnings of bug discoveries twice as fast as its North America counterpart, on average.

NVD's publication of bugs is delayed by days and weeks, we're told, because it relies on submissions from vendors and organizations that assign unique ID numbers, dubbed Common Vulnerabilities and Exposures or CVEs, to flaws. China, by contrast, has achieved timely disclosure by combing extensive online sources to spot any details of newly discovered bugs. While the US government has focused on an official process, China has focused on the key goal: detecting talk of new bugs and disclosing warnings about them.

Vulnerability disclosure timeline for NVD ... Source: Recorded Future. Click to enlarge

Recorded Future concludes that US bug indexers need to get more proactive if they want to alert IT departments, government agencies and users of new threats before hackers stumble across details of vulnerabilities and exploit them to infect systems. The team noted:

When hackers and security teams are racing to exploit or patch vulnerabilities, having access to the latest vulnerability information is critical. The United States National Vulnerability Database (NVD) is an obvious place security teams should be able to rely on to get this latest information.

Unfortunately, because NVD relies on voluntary submissions, NVD is often updated weeks after a vulnerability is initially disclosed. This gap ensures that NVD cannot provide comprehensive vulnerability coverage.

NVD should extend its mission to proactively gather vulnerability information as its Chinese counterpart (CNNVD) does.

Bill Ladd, chief data scientist at Recorded Future, argued that NVD could improve its performance simply by incorporating content from China’s CNNVD. “1,746 CVEs are currently in CNNVD and absent in NVD,” Ladd said.

An earlier study by Recorded Future found that more than three-quarters of vulnerabilities are publicly reported online before National Vulnerability Database publication.

On the one hand, it's highly useful to have a centralized database in which details and alerts of bugs and patches are pooled. On the other, it's not an easy task, and an area that private-sector infosec companies can do for paying corporations.

Bug bounty pioneer Katie Moussouris‏ told El Reg: “NVD is run by a small group with limited resources. Most who need real time vulnerability info don't rely on it. Commercial services fill that role.” ®


Biting the hand that feeds IT © 1998–2017