China’s Zero-Day Pipeline: From Discovery to Deployment

China is consolidating state control over zero-day vulnerability discovery through mandatory reporting laws, financial incentives, and government-backed competitions like the Tianfu Cup and Matrix Cup. The Data Security Law and Provisions on the Management of Network Product Security Vulnerabilities grant Beijing first access to all discovered flaws within two days. China-linked groups leverage this centralized vulnerability pipeline to achieve operational access at scale against enterprise and edge technologies including Fortinet, VMware/ESXi, and Ivanti. The creation of the Information Support Force and Cyberspace Force signals further consolidation of offensive cyber capabilities. Organizations should adopt an 'assume breach' posture with zero trust architecture and layered defenses to limit attacker movement and contain potential damage from state-sponsored exploitation.

China is consolidating cyber power through zero-days. Explore how state control of vulnerabilities enables long-term strategic advantage.

China is consolidating state control over zero-day vulnerability discovery through mandatory reporting laws, financial incentives, and government-backed competitions like the Tianfu Cup and Matrix Cup. The Data Security Law and Provisions on the Management of Network Product Security Vulnerabilities grant Beijing first access to all discovered flaws within two days. China-linked groups leverage this centralized vulnerability pipeline to achieve operational access at scale against enterprise and edge technologies including Fortinet, VMware/ESXi, and Ivanti. The creation of the Information Support Force and Cyberspace Force signals further consolidation of offensive cyber capabilities. Organizations should adopt an 'assume breach' posture with zero trust architecture and layered defenses to limit attacker movement and contain potential damage from state-sponsored exploitation. China is consolidating cyber power through zero-days. Explore how state control of vulnerabilities enables long-term strategic advantage. Executive Summary China’s observed use of zero-days has declined since 2023. However, it has expanded its capacity to discover and manage vulnerabilities, signaling a continued effort toward stockpiling exploits for strategic or military advantage. The Data Security Law (DSL) and Provisions on the Management of Network Product Security Vulnerabilities (RMSV) give the Chinese state first access and control over zero-days. Combined with government-backed competitions, incentives, and private contractors, this framework likely sustains one of the world’s largest reserves of exploitable vulnerabilities. The creation of the Information Support Force (ISF) and Cyberspace Force (CSF) signals China’s consolidation of cyber capabilities , likely enabling more effective offensive and defensive cyber operations, with vulnerabilities likely serving as a central resource. Defenders should adopt an “assume breach” posture and build for containment, implementing zero trust and layered defenses to limit attacker movement and impact after an exploit. Figure 1: How China stockpiles vulnerabilities (Source: Recorded Future) Analysis Zero-Days as Strategic Weapons A zero-day is a previously unknown software flaw for which no patch exists at the time it is discovered or exploited. Once weaponized, it allows adversaries to gain access, escalate privileges, or execute remote commands. These capabilities are especially effective against perimeter and enterprise systems, where a successful compromise can provide initial access and allow attackers to maintain persistence and carry out further cyber actions. Choosing whether to disclose or keep a zero-day vulnerability is a strategic decision. Governments must balance public safety with the potential intelligence or military value of keeping the flaw secret. In the US, this process is guided by the Vulnerabilities Equities Process (VEP) , which is designed to be transparent and generally favors disclosure to help maintain internet security. China’s Vulnerability Management Regime China’s vulnerability management system is centralized and led by the state. Its laws, incentives, and institutions work together to feed new exploits and technical capabilities directly to the government, turning software vulnerabilities into strategic assets under state control. Mandatory Reporting The RMSV (2021) requires that all discovered vulnerabilities be reported to the Ministry of Industry and Information Technology (MIIT) within two days and prohibits disclosure to foreign entities. The Data Security Law (DSL) and National Intelligence Law (NIL) further compel all individuals and organizations to support state security objectives, with strict penalties for non-compliance. Together, these laws grant Beijing first access and complete control over all newly discovered flaws. Incentivizing Compliance This legal framework is reinforced through financial and professional incentives. The China National Vulnerability Database of Information Security (CNNVD), managed by the Ministry of State Security (MSS), offers researchers and firms monetary rewards, certificates, honorary titles, and preferential access to government contracts. This system encourages compliance by making vulnerability disclosure both mandatory and materially rewarding. Talent Development and Recruitment Pipelines China combines strict regulations with a well-organized system for developing cybersecurity talent. Competitions such as the Tianfu Cup, Matrix Cup, and QiangWang Cup serve as key recruitment and training platforms for the state’s cyber programs. The 2024 Matrix Cup’s $2.75 million USD prize pool, nearly twice that of Canada’s Pwn2Own, highlights the size of this investment. Private Sector Relationships China’s private sector also plays a pivotal role . Major firms such as Qi An Xin, Huawei, Qihoo 360, and NSFocus contribute vulnerabilities and technical expertise directly to the government. Large technology companies...