Comparison of National Vulnerability Databases and Advisory Systems

TL;DR: Key Differences in National Vulnerability Databases

United States (NVD):

Open, comprehensive, CVE-based. Focuses on accurate, public disclosure with slight delays (~7–30 days). No censorship, but 0-days may be withheld via a classified Vulnerability Equities Process.

China (CNNVD/CNVD):

Dual databases, fast and sometimes earlier than NVD. However, vulnerabilities are legally required to be reported to the state first. Critical ones may be withheld or delayed for offensive use. CNNVD is linked to intelligence services; CNVD is more defense-focused.

Russia (FSTEC/BDU):

Highly selective (only ~10% of CVEs), very slow (~80+ day delay), and focused on national interest. Transparency is low. Database used as a strategic control tool, not for broad cybersecurity.

European Union (CERTs/BSI/CERT-EU):

Decentralized. Relies on CVE/NVD + national CERT advisories. Emphasizes coordinated disclosure, high transparency, no state censorship. Focused on helping defenders patch quickly.

Japan (JVN):

Full CVE mirror + domestic discoveries. Transparent, fast, bilingual (JP/EN). Coordinated disclosure via JPCERT. Defensive and public-good oriented, similar to U.S./EU.

Core difference:

Authoritarian states (China, Russia) treat vulnerability info as strategic state-controlled assets, sometimes delaying or censoring. Democracies (U.S., EU, Japan) prioritize transparency, coordination, and public defense.

Introduction

National vulnerability databases (NVDs) and security advisory portals are key resources for tracking known cybersecurity vulnerabilities (commonly identified by CVE IDs) and associated remediation information. Different nations and regions operate their own databases or advisory systems to catalog vulnerabilities, often supplementing or mirroring the global CVE system. This report compares major national vulnerability databases – examining which vulnerabilities they track, how they are maintained, disclosure policies and timelines, accessibility, and the political or legal influences that shape them. We focus on the United States, China, Russia, the European Union (and member states like Germany), and other notable examples such as Japan. Citations are provided to substantiate the analysis.

United States: NVD (National Vulnerability Database)

The United States’ National Vulnerability Database (NVD) is a comprehensive public repository of computer security vulnerabilities maintained by NIST. It is built on the CVE system, incorporating all publicly disclosed vulnerabilities with CVE identifiersgreenbone.net. NVD enriches each CVE entry with additional data such as standardized severity scores (CVSS), affected product identifiers (CPE), and fix information. It was established in 2000 and is updated continuously (typically within hours or days of a CVE’s public release). As a U.S. government resource, the NVD’s mission is to provide timely, standardized vulnerability information to help defenders automate security managementen.wikipedia.org. All data is in English and available freely via a web portal and machine-readable feeds (e.g. JSON via the Security Content Automation Protocol). NVD is widely regarded as “the world’s most centralized global repository of vulnerability information”greenbone.net, and many organizations worldwide rely on it.

Disclosure and tracking: NVD entries are added after a vulnerability has been disclosed through the CVE process. The U.S. follows a voluntary, coordinated disclosure model – software vendors or researchers report flaws to CVE Numbering Authorities (often the vendor itself or MITRE) who assign a CVE ID and publish details, after which NIST NVD indexes ittheregister.com. There is generally no government censorship or holding back of vulnerabilities in NVD; its goal is to list all known issues once public. However, the U.S. government does have an internal Vulnerabilities Equities Process (VEP) to decide whether to disclose or temporarily withhold newly discovered vulnerabilities that the government finds (e.g. via intelligence)archive.epic.org. Under the VEP, agencies weigh if a 0-day should be reported to the vendor (to fix it) or kept secret for possible offensive usearchive.epic.org. This process occurs behind closed doors and only affects whether a vulnerability becomes public – once a vulnerability is public and has a CVE, it will be in NVD. In practice, the vast majority of vulnerabilities tracked by NVD come from researchers and vendors disclosing them, not from government-found exploits.

Timelines: One critique of NVD has been the time lag from initial disclosure to NVD publication. Because it relies on the CVE assignment and vendor coordination process, NVD can be slower to update than some more proactive sources. Studies in 2017 found that the U.S. NVD took on average about 33 days from a vulnerability’s initial disclosure to public NVD entry, whereas China’s database only took ~13 daystheregister.com. This 20-day gap meant Chinese users could learn of new flaws faster. Another analysis showed a median lag of ~7 days for NVD (with 75% of vulns appearing elsewhere first)en.wikipedia.org, highlighting that often details circulate on vendor advisories or forums before NVD entry. The delays largely stem from waiting for official CVE publication and validationtheregister.com. NIST has worked to speed up processing, but NVD prioritizes accuracy and coordination over being first. Once a CVE is public, NVD usually adds it within hours to a few days along with its analysis. Notably, the U.S. does not deliberately delay public vulnerability disclosure for defensive advantage – aside from the separate VEP process for government-discovered 0-days, NVD’s delays are procedural, not strategictheregister.com.

Accessibility and transparency: The U.S. NVD is highly accessible and transparent. All information is published in a public website (nvd.nist.gov) with search and filter capabilities, and via data feeds for integration into security tools. There are no restrictions on access – it’s free and open to anyone. NVD does not alter or hide vulnerability data (beyond correcting errors); it simply republishes CVE information with enhancements. The database is in English and has become a de facto global reference. In addition to NVD, U.S. agencies also issue security advisories for noteworthy threats – for example, CISA maintains the “Known Exploited Vulnerabilities Catalog” of actively exploited CVEs, and publishes ICS-CERT advisories for industrial control system flaws. These are complementary to NVD, focusing on exploitation status and critical infrastructure respectively, but they still reference the same CVEs tracked by NVD. Overall, the U.S. approach is one of public-private coordination and open information-sharing, aiming to notify all stakeholders of vulnerabilities so they can be fixed, with minimal filtering except for rare national security cases.

China: CNNVD and CNVD

China maintains two parallel national vulnerability databases – the China National Vulnerability Database (CNNVD) and the China National Vulnerability Database of Information Security Sharing Platform (CNVD)en.wikipedia.org cert.org.cn. Despite the similar names, these are operated by different organizations and serve slightly different roles:

CNNVD is run by the China Information Technology Security Evaluation Center (CNITSEC) under the Ministry of State Security (MSS)en.wikipedia.org. Established in 2009, CNNVD has cataloged a vast number of vulnerabilities (over 117,000 by late 2020)en.wikipedia.org. It mirrors globally known CVEs and also assigns its own tracking IDs. CNNVD’s mission (per its official description) includes analysis of IT product vulnerabilities and security risk assessments for government systemsen.wikipedia.org. However, unlike NVD, CNNVD is closely tied to China’s intelligence apparatus (MSS) and has been criticized as serving a dual role: both informing defenders and feeding offensive cyber operationsen.wikipedia.org. Recorded Future research provided evidence that CNNVD systematically reviews all vulnerability reports for potential intelligence value before public releaseen.wikipedia.org. If a newly reported flaw is deemed useful for espionage or attack, Chinese authorities may delay its public disclosure via CNNVD so it can be exploited or studied in secreten.wikipedia.org. Notably, CNNVD has been caught back-dating publication timestamps to make delayed releases appear prompten.wikipedia.org. For most vulnerabilities, CNNVD is actually very fast at publication – it averages roughly 13 days from initial disclosure to database inclusion, much faster than the U.S. 33-day averagetheregister.com. In fact, at times CNNVD had entries appearing even before a CVE ID was officially assigned, by scraping information from developer forums, exploit sites, and other sourcestheregister.com. This proactive approach means CNNVD often leads the world in initial vulnerability alerts, except when deliberate delay is imposed for a high-value case. CNNVD provides its website interface in Chinese; it is publicly accessible, though the language and intelligence filtering limit transparency. The database is comprehensive in scope – covering vulnerabilities in both foreign and domestic products – and uses both CNNVD IDs and cross-references to CVEs when available.
CNVD is operated by the China National Computer Network Emergency Response Team (CNCERT/CC), which is a coordination center under the Ministry of Industry and Information Technology (MIIT)cert.org.cn. CNVD is described as a “vulnerability sharing platform” – it collects reports from security researchers and companies within China and shares vulnerability information. CNCERT/CC’s role is more aligned with defense and protecting networks; CNVD is akin to a Chinese CERT advisory portal. It publishes vulnerability notes, often referencing CVEs but also assigning a CNVD ID, for issues reported through domestic channels. Some vulnerabilities appear on CNVD that do not immediately show up in international databases – for example, researchers have found cases of CNVD entries for which no CVE existed yet on NVDsentinelone.com. This implies CNVD may cover locally-discovered flaws (especially in Chinese software or less internationally reported issues) that haven’t gone through MITRE’s CVE process. In general, CNVD collaborates with vendors to coordinate fixes and disclosures, similar to how other national CERTs operate. The publication speed of CNVD is also quite prompt; while detailed metrics are less public, CNVD releases weekly or even daily bulletins of new vulnerabilities. Unlike CNNVD, CNVD is not overtly an intelligence tool – it is meant to help defenders by sharing information. Indeed, China’s vulnerability management regulations since 2021 formalize CNVD’s role: new rules require that the MIIT’s database (feeding CNVD) and the MSS’s database (CNNVD) share information, with MIIT ensuring vendors are alertedatlanticcouncil.org atlanticcouncil.org.

Disclosure policies and legal framework: In July 2021, China introduced sweeping new Regulations on the Management of Network Product Security Vulnerabilities, which have significant impact on how vulnerabilities are handled nationally. These rules require that any entity in China discovering a vulnerability must report it to the government (MIIT) within 2 working daystherecord.media. Researchers and vendors are effectively prohibited from public disclosure or even informing any “overseas” entity before a fix is available without government approvaltherecord.media. Publishing exploit proof-of-concept code or exaggerating a flaw’s severity is also banned by these regulationstherecord.media. In essence, China has codified a controlled disclosure process: the government gets early access to all vulnerability information, can quietly pass it to other bodies (like MSS or CNCERT) as needed, and only allows public or international disclosure on its termstherecord.media therecord.media. This stands in contrast to Western practices where independent researchers often disclose to the public or through foreign bug bounty programs – China now forbids Chinese researchers from sharing vulnerabilities with foreign organizations beyond the affected vendortherecord.media. The strategic intent is clear: Beijing treats vulnerability knowledge as a national strategic resource. By funneling all reports through state channels, Chinese authorities can patch critical domestic systems while potentially weaponizing certain exploits before the wider world knows about themen.wikipedia.org. This was exemplified by the Recorded Future finding that CNNVD, under MSS influence, delayed publishing certain “high-threat” CVEs to give offensive teams a head startatlanticcouncil.org atlanticcouncil.org. One well-known outcome was that CNNVD’s timeline data for hundreds of vulnerabilities was later altered to hide these delaysatlanticcouncil.org atlanticcouncil.org.

At the same time, not all Chinese vulnerability handling is about offense. Through CNVD and CNCERT, China also emphasizes defensive awareness. Both CNNVD and CNVD publish regular vulnerability reports for companies in China to patch their systems. In fact, China’s databases have at times been more comprehensive than the U.S. NVD, listing hundreds of vulnerabilities not present in NVD due to China’s researchers actively finding and reporting issues (especially in software popular in China)sentinelone.com. An analysis in 2022 noted the gap had narrowed, but still “hundreds of vulnerabilities registered in China [were] yet to be listed on the US NVD”sentinelone.com. This suggests China’s system, while state-controlled, can enhance overall vulnerability coverage (at least for its constituency).

Structure and access: Both CNNVD and CNVD provide web portals (in Chinese) for searching vulnerabilities. CNNVD’s site is publicly reachable and offers vulnerability listings with details (description, severity, affected products), much like NVD. CNVD’s platform often presents security bulletins and analysis reports. Information from these databases is sometimes summarized in English via third parties, but the official interfaces are Chinese-language. Transparency is mixed: the existence of backdating and selective withholding in CNNVD undermines trust in its timeline, but the content of published entries largely mirrors known vulnerabilities (the databases do not advertise which ones were held back – those simply appear late or not at all). In summary, China tracks essentially the same universe of vulnerabilities as CVE/NVD, plus additional local discoveries, but under a much more centralized and state-filtered disclosure process. The key differences lie in speed (generally faster publication, except when intentionally delayed) and disclosure control (legal mandates for reporting to government and restrictions on early public release)therecord.media therecord.media.

Russia: FSTEC’s Data Security Threats Database (BDU)

Russia’s national vulnerability database is known as the Data Security Threats Database (BDU), maintained by the Federal Service for Technical and Export Control (FSTEC)en.wikipedia.org. FSTEC is a military-linked government body tasked with protecting state information systems and critical infrastructuretheregister.com. The BDU can be seen as Russia’s counterpart to NVD/CNNVD, but it operates very differently in scope and purpose. Notably, Russia’s BDU tracks only a small fraction of the total publicly known vulnerabilities. Studies have found that as of 2018, BDU contained roughly 10% of the entries of the U.S. NVDen.wikipedia.org. For example, at that time it had only ~11,000 vulnerabilities listed versus ~107,000 in NVDtheregister.com. This gap indicates a highly selective approach – FSTEC appears to include only those vulnerabilities that directly concern Russian government interests or domestic products.

Coverage and focus: The BDU’s content is heavily curated. Priority is given to vulnerabilities that pose a threat to Russian state information systems, critical facilities, or widely used software within Russiatheregister.com. Many vulnerabilities in products that are uncommon in Russia or that do not affect government networks are simply not catalogued. FSTEC has made no claim that its database is comprehensive or meant for general IT usetheregister.com. Instead, the database is explicitly an instrument of state cybersecurity policy, focusing on what Russian operators need to know. This inward focus means the BDU’s utility to the broader cybersecurity community is limited – it’s not meant to alert global enterprises of every new bug, but rather to ensure Russian entities are aware of the vulnerabilities that Russia deems importanttheregister.com theregister.com.

Timeliness and completeness: Russia’s vulnerability database is both slow and sparse in its updates. On average, FSTEC publishes vulnerability information significantly later than other databases – one analysis showed BDU was about 83 days slower than China’s CNNVD and 50 days slower than NVD (US) in adding new vulnerabilitiestheregister.com. The figure below illustrates this delay disparity. Additionally, whole categories of vulnerabilities may never appear in BDU at all (accounting for the ~90% of CVEs missing). The limited resources or priorities might explain some omissions, but experts believe it is intentional policy rather than lack of capabilitytheregister.com. Recorded Future assessed that “reporting only 10% of published vulnerabilities is a function of choice and not due to resource constraints”theregister.com. FSTEC only began public vulnerability reporting in 2014 (long after the US and China started)theregister.com, indicating that this was a late, policy-driven initiative likely tied to Russia’s push for greater cyber sovereignty.

Figure: Average vulnerability disclosure delay in days for China’s CNNVD (green), US NVD (blue), and Russia’s BDU (red) as of 2018theregister.com. This data highlights how much slower Russia’s database tends to update compared to its U.S. and Chinese counterparts. China’s CNNVD, with the lowest bar, adds new vulnerabilities in under two weeks on average, whereas Russia’s BDU (highest bar) often takes around three months to include a disclosed flaw. The U.S. NVD falls in between. This reflects not only resource allocation but also differing philosophies – Russia’s process introduces significant delays that could leave Russian systems exposed longer, presumably because immediate public disclosure is not the top priority for FSTEC.

Disclosure practices and strategy: Russia’s approach to vulnerability information is influenced by security and political considerations. FSTEC, being a military/security agency, likely coordinates with Russian intelligence services regarding which vulnerabilities to disclose. The general view is that Russia uses BDU as a tool to support its national cyber defense and control the narrative on vulnerabilities, rather than as a public servicetheregister.com. There may be cases where Russia withholds or delays publishing certain CVEs that it finds useful for offensive operations (similar to China’s behavior), although concrete evidence of backdating in BDU is not widely reported. Interestingly, an analysis of vulnerabilities known to be exploited by Russian state-sponsored hacking groups (APTs) found that 61% of those vulnerabilities were listed in Russia’s BDUtheregister.com. This is much higher than the 10% baseline coverage, suggesting that when a vulnerability is actively used by Russian operatives (and thus likely known to foreign defenders), Russia will eventually list it in BDU – possibly to ensure domestic systems patch it, or as misdirectiontheregister.com. In fact, FSTEC had published 60% of the vulnerabilities specifically used by the GRU’s APT28 grouptheregister.com. This could imply a degree of internal coordination: once a tool is burned (exposed through use), they add it to BDU to fortify against retaliation or copycats. On the other hand, vulnerabilities that Russia’s agencies discover and keep for espionage (unknown to others) would never make it into BDU until they are public.

Accessibility and transparency: The BDU is accessible via a Russian-language web portal under FSTEC’s site. Each entry includes the CVE (if available), a description (in Russian), and basic data like affected products and patch availability. However, because of its limited scope, the BDU is not a go-to reference for the global community. It serves a niche purpose. From a transparency standpoint, the criteria for inclusion are not publicly documented, and the heavy under-reporting means one cannot assume a vulnerability is unimportant just because BDU omitted it. This lack of transparency can be viewed as a form of censorship or information control, though in the context of vulnerabilities rather than news. Russian law does not have an exact equivalent to China’s 2021 regulations, but the state has broad authority over information security. Researchers in Russia often cooperate quietly via FSTEC or other bodies, and there is less of a public vulnerability research scene due to legal risks (Russian researchers might fear violating laws if they publicly disclose bugs without permission). Overall, Russia’s strategy appears to treat vulnerability knowledge as sensitive, to be shared on a need-to-know basis with Russian organizations, and not to alarm the general public or international companies.

European Union and EU Member States (CERT-EU, BSI, etc.)

Europe, unlike a single nation-state, does not have one unified vulnerability database covering all of the EU. Instead, European nations rely on coordination through CERTs (Computer Emergency Response Teams) and security agencies, often leveraging the global CVE/NVD system while issuing their own advisories for local audiences. The approach in Europe emphasizes coordinated vulnerability disclosure and broad transparency, but each country may have its own portal or practices. Key examples:

CERT-EU: This is the Computer Emergency Response Team for EU institutions. CERT-EU serves EU bodies (Parliament, Commission, etc.) but also shares information publicly. They regularly publish security advisories and alerts about major vulnerabilities, often summarizing vendor patch releases or urgent threatscert.europa.eu. For instance, CERT-EU might release a bulletin on Microsoft’s Patch Tuesday or a critical zero-day in widely used software, highlighting the CVEs and urging prompt patchingcert.europa.eu. These advisories are typically in English and available on CERT-EU’s website. However, CERT-EU does not maintain a database of all vulnerabilities; it curates reports most relevant to its constituency (the EU agencies and infrastructure). The focus is on timely communication of high-impact issues rather than duplicating NVD.
National CERTs and security agencies: Many EU member states have their own CERT or cybersecurity authority that provides vulnerability advisories. For example, Germany’s BSI (Federal Office for Information Security) and its affiliated CERT-Bund issue technical security bulletins and warnings to German organizationsbsi.bund.de. BSI’s public Cyber Security Warnings inform IT managers about “new and dangerous attack vectors” and vendor patch releases for known vulnerabilitiesbsi.bund.de. These often reference CVE IDs and come with remediation guidance. In addition to public alerts, BSI also shares confidential warnings with critical infrastructure operators under a Traffic Light Protocol schemebsi.bund.de, illustrating a public-private partnership model. BSI does not maintain a full CVE database of its own; instead, it references NVD/MITRE data and vendor information. Importantly, Germany has been a leader in promoting standardized advisory formats (like the CSAF JSON framework) to make it easier to aggregate and distribute vulnerability informationbsi.bund.de. This shows Europe’s interest in interoperability – enabling tools to ingest advisories from many sources (vendors, NVD, CERTs) seamlessly. Other countries, like France’s CERT-FR (operated by ANSSI) or the UK’s NCSC, similarly publish advisories or alerts on major vulnerabilities in French or English respectively. These agencies typically highlight patches and urge mitigation, aligning with responsible disclosure practices (i.e. they announce after or when fixes are available, coordinating with vendors).
Coordinated disclosure and legal environment: European nations generally encourage responsible vulnerability disclosure through policy rather than strict law. The EU’s NIS Directive (and the updated NIS2) calls for Member States to establish frameworks for Coordinated Vulnerability Disclosure (CVD), meaning clear processes for researchers to report bugs and for vendors to handle them. For example, the Netherlands has been a proponent of CVD guidelines (the Dutch policy coined “No, don’t prosecute hackers who report bugs responsibly”). While there isn’t an EU-wide law like China’s that mandates reporting to government first, there is an increasing effort to formalize channels where researchers can safely report flaws (sometimes to national CERTs) which then coordinate with vendors. No EU country is known to systematically censor vulnerability information – on the contrary, Europe tends to value openness and collaboration. If a vulnerability is discovered affecting, say, a popular software, the inclination is to work with the vendor and possibly involve the relevant CERT to alert users, rather than to secretly stockpile it. One exception might be intelligence agencies (like any country, European intelligence might quietly keep 0-days), but those are not part of the public vulnerability advisory ecosystem. In general, EU CERTs do not delay public disclosure beyond the needs of coordination with vendors. Once a patch is ready or an urgent alert needs to go out, they will inform the public or specific sectors promptly.
Structure and access: European advisories are usually published on official websites (often in the local language, sometimes with English translations for wider consumption). For instance, BSI’s bulletins are available on its site and CERT-FR publishes in French with English summaries for some alerts. These are open to anyone. Some countries also maintain portals or databases of past advisories. There is also a trend towards aggregating advisories from multiple vendors: e.g., Germany’s BSI offers tools for vendors to create advisories in CSAF format, and a platform to share them, effectively creating a distributed database of advisories from various manufacturers. Unlike NVD or CNNVD, these are decentralized – multiple sources rather than one central DB. This decentralization can make it harder to get a single “European NVD,” but efforts like the CERT@VDE in Germany (for industrial control vulnerabilities) or EU initiatives under ENISA aim to improve sharing.

In summary, EU nations rely on the global CVE system and NVD, supplemented by national CERT advisories for context and emphasis. The key differences from other nations’ approach are: a lack of a single centralized database (instead a network of CERTs), a strong commitment to coordinated disclosure without government-imposed secrecy, and making vulnerability information accessible to those who need it (with some private channels for sensitive communications). The EU perspective treats vulnerabilities primarily as risks to be mitigated rather as opportunities for offense, reflecting in their transparency and public-private coordination.

Other Notable National Databases and Portals (Japan, etc.)

Outside the big three (US, China, Russia) and the EU, several other countries maintain significant vulnerability information portals:

Japan – JVN (Japan Vulnerability Notes): Japan operates its own national vulnerability database and advisory portal called JVN (Japan Vulnerability Notes), along with an associated database JVN iPediaen.wikipedia.org. JVN is jointly maintained by the Japanese government’s Information-Technology Promotion Agency (IPA) and JPCERT/CC (Japan’s CERT)en.wikipedia.org. It serves as a comprehensive clearinghouse for vulnerabilities relevant to Japan. In practice, JVN covers a wide range of CVEs (domestic and international) and provides Japanese-language details and solutions. Many entries are translations or summaries of NVD/MITRE entries, enriched with additional information or links to Japanese vendor advisories. As of early 2025, JVN iPedia contains over 200,000 vulnerability entriesipa.go.jp, indicating that it tracks essentially all known CVEs (that number is on par with the total CVE count). The database is updated daily as new CVEs and Japan-discovered issues arise. Japan has a well-developed coordinated disclosure system: JPCERT/CC acts as a coordinator when Japanese researchers or companies find vulnerabilities, helping liaise with global vendors or assign CVEs, and then disclosing via JVN once readyjpcert.or.jp. JVN entries often include both Japanese and English information (or at least CVE references), making it somewhat accessible internationally. The policy in Japan is similar to the U.S./EU model – encourage responsible disclosure, don’t publicly release exploit details until a patch or mitigation is available, and no evidence of government suppression of vulnerabilities. If anything, Japan’s challenge has been ensuring its local software vendors participate in disclosure (hence the need for JPCERT to assist). JVN is considered a success in providing vulnerability info tailored to Japanese users (e.g., advisories for Japanese software in Japanese), while still synchronized with global databases.
India – CERT-In Vulnerability Notes: India’s CERT (CERT-In) publishes Vulnerability Notes organized by yearcert-in.org.in. These are similar to the old US CERT/CC vulnerability notes – they describe specific vulnerabilities (often those with wide impact or affecting popular products in India), with technical details and mitigation. They reference CVEs and are written in English. India does not maintain a full database of all CVEs, but CERT-In will issue notes on critical vulnerabilities (for example, major ransomware-related CVEs or flaws in widely used enterprise software). The disclosure practice follows coordinated disclosure norms. In recent years, India has also emphasized that vendors operating in India should notify CERT-In of major incidents and vulnerabilities, but there is no evidence of systematic withholding of vulnerability information.
Australia – ACSC Advisories: The Australian Cyber Security Centre (ACSC) provides security advisories and alerts for Australian users. These cover notable vulnerabilities (often linking to vendor advisories or CVEs), especially those being actively exploited or affecting critical infrastructure. Australia similarly does not run a separate CVE database, relying on international sources and focusing on local impact and guidance.
International and Industry efforts: Although not country-specific, it’s worth noting CERT/CC (USA) historically maintained the Vulnerability Notes Database (by the Carnegie Mellon CERT Coordination Center) which is an older repository of vulnerability advisories. Many countries and companies also contribute to global vulnerability data through the CVE Numbering Authority (CNA) program – e.g., companies like Microsoft, Oracle, Siemens, etc., publish advisories and assign CVEs which then propagate to national databases. Some alliances like FIRST and OASIS (with standards like CSAF) involve multiple nations to standardize how advisories are shared.

Each of these examples reinforces that CVE is the common language, but the way vulnerability information is disseminated can differ. Some countries have chosen to mirror CVEs in their own language and add local context (Japan, China), some have chosen to only selectively list what matters to them (Russia), and others simply reference the global databases while issuing targeted guidance (EU nations, Australia, etc.). The political and strategic considerations often determine these approaches: e.g., China and Russia treat vulnerability info with a degree of state secrecy and strategic handling, whereas U.S., Japan, and allies treat it as predominantly a defensive matter and public good (with the exception of secret agency research which is kept out of public DBs).

Below is a comparison table summarizing the key differences across several countries/regions:

Country/Region	Primary Vulnerability Database / Portal	Coverage & Structure	Disclosure Policy & Timeline	Accessibility & Transparency
United States	NVD (National Vulnerability Database) – operated by NIST (gov’t)en.wikipedia.org.	Scope: All publicly disclosed CVEs globally (comprehensive).Structure: CVE-based entries with standardized data (CVSS scores, references). Updated continuously (feeds, API available).	Policy: Voluntary, coordinated disclosure via vendors/CNAs. No state censorship of NVD content. Govt uses a separate Vulnerability Equities Process for 0-daysarchive.epic.org.Timeline: Moderate speed – ~33 days avg delay from initial disclosuretheregister.com (process-driven delays). Aims for quick inclusion once CVE is public.	Access: Fully public and free (English). Highly transparent – no selective omissions (lists all known CVEs). Machine-readable formats (JSON, etc.) for automation.
China	CNNVD (China National Vulnerability Database) – operated by CNITSEC (MSS)en.wikipedia.org;CNVD (China National Vulnerability Database – Information Sharing Platform) – operated by CNCERT/CC (MIIT)cert.org.cn.	Scope: Nearly all known vulnerabilities worldwide (mirrors CVEs) + additional Chinese-discovered bugs. CNNVD had ~117k vulns by 2020en.wikipedia.org. CNVD covers similar scope, incl. domestic product flaws not in CVEsentinelone.com.Structure: Both assign their own IDs (CNNVD-, CNVD-) and cross-reference CVEs. Regular updates (often daily). Content in Chinese.	Policy: State-controlled disclosure. Mandatory 48h reporting to government (MIIT) for any new vulntherecord.media. No public/foreign disclosure before patch without approvaltherecord.media. MSS (for CNNVD) evaluates high-impact vulns for potential offensive use, causing deliberate publication delaysen.wikipedia.org. Timeline: Fast by default – CNNVD ~13 days avg inclusiontheregister.com (proactively scans sources), often beating CVE/NVD. However, sensitive cases delayed (with backdated timestamps) for exploitationen.wikipedia.org. CNVD also publishes swiftly, coordinating with vendors.	Access: Public web portals (Chinese-language). Data is openly available, but transparency is mixed – ordinary vulns are documented, but process is opaque for withheld cases. Foreign researchers rely on translations/third-party for CNNVD/CNVD info. Overall more comprehensive and quicker, but with state-imposed secrecy on certain entries.
Russia	BDU (Data Security Threats Database) – operated by FSTEC (gov’t)en.wikipedia.org.	Scope: Highly selective – roughly 10% of global CVEsen.wikipedia.org. Focuses on vulnerabilities affecting Russian government systems, critical infrastructure, and popular local softwaretheregister.com. Many vulnerabilities simply not cataloged.Structure: CVE-based references. Established 2014; much smaller corpus than peers. Entries in Russian.	Policy: Tightly controlled by a military/security agency. Prioritizes national security; aims to inform only what’s necessary for Russian defensetheregister.com. Likely omits vulnerabilities that are not seen as threats to Russia or that Russia might exploit offensively. Timeline: Slow – often months behind. On average ~50 days slower than US NVD, ~83 days slower than CNNVDtheregister.com. Updates appear ad-hoc. No rush to publish new CVEs (perhaps intentionally slow to filter and decide on each).	Access: Publicly accessible website, but only in Russian and not widely used outside Russia. Transparency is low – the selection criteria are unknown, and the database is incomplete by design (not an open info resource). Seen as an instrument for state control of vulnerability knowledge rather than general cybersecurity awarenesstheregister.com.
European Union /<br>EU Nations	CERT-EU (for EU institutions) advisoriescert.europa.eu;National CERTs (e.g., Germany BSI/CERT-Bund, France CERT-FR, UK NCSC) advisory portals. (No single EU-wide CVE database; uses global CVE/NVD).	Scope: Relies on global CVE databases (NVD, etc.) for universe of vulns. Each CERT focuses on notable vulnerabilities impacting its constituency (e.g. critical CVEs in popular products, exploited threats). No attempt to list every CVE, rather issue warnings for high-impact issues.Structure: Advisory bulletins and databases of advisories. Often published per incident or vendor patch batch (e.g., Patch Tuesday summaries). Some use standard formats (CSAF) for machine-readable bulletins. Multilingual (many local CERT sites in national language; CERT-EU in English).	Policy: Emphasis on coordinated disclosure and public-private collaboration. Researchers are encouraged to report to vendors or CERTs; no censorship – advisories are released once fixes are available or urgent mitigation is needed. The EU has no law forcing prior government notification (unlike China); instead, policies (under NIS2) promote establishing safe harbor for responsible disclosure. Timeline: Timely, aligned with vendor disclosures. CERTs typically publish advisories immediately when a vulnerability is public and relevant (often same-day as vendor patch release or public report). They do not significantly delay or hide information, since the goal is to inform as quickly as possible for defense.	Access: Open websites and mailing lists. For example, BSI’s warnings page and CERT-EU’s advisories are publicly viewable. Some content may be tailored (with sensitive details shared on restricted channels to critical sectors), but generally a high degree of transparency. Because multiple sources exist, information can be distributed, but efforts like ENISA and FIRST help coordinate and share across borders. Overall, EU nations provide accessible, trust-based advisory services built on global data.
Japan	JVN (Japan Vulnerability Notes) – run by JPCERT/CC and IPAen.wikipedia.org.	Scope: Comprehensive – tracks vulnerabilities reported via Japanese researchers/vendors and international CVEs that affect Japan. JVN iPedia has stored over 200k vulnerabilitiesipa.go.jp, comparable to NVD in coverage.Structure: Entries in Japanese (many with English summaries). Uses CVE IDs as reference, plus its own JVN ID for each advisory. Focus on software used in Japan (including localized products). Regular updates synced with CVE disclosures and Japanese vendor reports.	Policy: Follows coordinated disclosure. JPCERT/CC acts as coordinator, ensuring vendors have fixes before publicationjpcert.or.jp. No evidence of withholding for offense – orientation is defensive. Japan encourages reporting through JPCERT; researchers typically do not disclose 0-days publicly without coordination. Timeline: Prompt – JVN releases information as soon as a vulnerability is public and/or a patch is available. Often simultaneous with or shortly after NVD/MITRE release, plus translation time. In cases of domestic discoveries, JVN may publish the advisory in tandem with CVE assignment. Overall, timely distribution to Japanese audience.	Access: Public website, primarily in Japanese (with some English). Extremely transparent – even minor software vulnerabilities are cataloged if reported. Users can search in Japanese, which lowers language barriers for locals. JVN also provides RSS feeds and other data exports. It essentially functions as Japan’s localized NVD, with a high trust level in the info provided.

Table: Comparison of national vulnerability databases and advisory systems across countries, highlighting scope, policies, speed, and opennessen.wikipedia.org theregister.com theregister.com therecord.media.

Conclusion

National vulnerability databases reflect each nation’s priorities and governance approach to cybersecurity. The United States and many allies (Europe, Japan, etc.) largely treat vulnerability disclosure as a public good – they track a broad set of vulnerabilities (usually via the international CVE system), publish information openly in a timely manner, and coordinate with the private sector to fix issues. Their databases and advisories are meant to maximize defensive knowledge sharing. In contrast, countries like China and Russia view vulnerability information through a more strategic lens, balancing the benefits of public disclosure with the desire to exploit or control that information for state purposes. China’s dual-database system, rapid collection, and new legal restrictions show an attempt to have the best of both worlds – fast defensive alerts for most issues, but the ability to secretly harness the most critical vulnerabilities. Russia’s minimalistic BDU underscores a primary concern with protecting state infrastructure while revealing little to the outside world. These differences have practical implications: security teams in the West often monitor databases like NVD, CERT advisories, and JVN for a complete picture, whereas intelligence analysts keep an eye on CNNVD/CNVD for any early clues (and potential backdating) and understand that Russia’s BDU won’t tell the whole story.

Despite divergent practices, the trend is that global collaboration is increasing – efforts like the CVE program, FIRST, and standardized advisory formats bring nations onto the same page, even as political motives sometimes interfere. Awareness of these national differences is important: for example, a company might patch sooner if they notice CNNVD released a vulnerability that NVD hasn’t yet, or policymakers might realize that legal mandates (like China’s) can turn vulnerability research into a state-monopolized activity. Ultimately, improving cybersecurity requires balancing timely public disclosure with managed risk. The comparison above shows where each nation draws that line, and how factors of politics and policy shape the flow of vulnerability information worldwide.

Sources: The analysis is based on documented characteristics of each database and reporting from cybersecurity studies and official policies, including comparisons by Recorded Futuretheregister.com theregister.com, regulations from Chinese authoritiestherecord.media, and official descriptions by NIST, CNITSEC, FSTEC, JPCERT, and others. All specific factual claims are backed by citations to these sources.