Natto Thoughts: Vulnerability Research

A Researcher Came Knocking, and Taught China a Lesson in How to Manage Vulnerabilities and Researchers

Natto Team — Wed, 05 Nov 2025 17:02:57 GMT

In the last few days of October 2025 in Asia, gift-giving between top political leaders has drawn a lot of attention—and laughter. One moment, which surprised many of us, was when Chinese President Xi Jinping showed humor during his gift exchange with South Korean President Lee Jae Myung. It is rare to see a Chinese leader “speaking off the cuff in public.” On this occasion, President Xi joked about backdoors in cellphones—yes, backdoors that can monitor or access the information in mobile devices.

During his first state visit to South Korea after 11 years, Xi presented two Chinese-made Xiaomi brand smartphones—the world’s third-largest smartphone brand—to South Korean President Lee Jae Myung. When Lee asked delightedly about the quality of communication and the security of the phone, Xi smiled and said, “You can check if there is a backdoor.”

President Xi is undoubtedly fully aware that the United States and its allies have warned that Chinese technology may contain backdoors—what the …

China’s Vulnerability Research: What’s Different Now?

Eugenio Benincasa — Wed, 08 Oct 2025 16:02:33 GMT

Over the past two decades, China’s vulnerability research ecosystem has undergone a dramatic transformation. In the early 2000s, it was a fragmented landscape of free databases and easily accessible, low-cost exploits. Over time, it evolved toward commercialization, with organized vulnerability markets and institutional research labs emerging within major tech and cybersecurity companies.1 By the mid-2010s, Chinese hackers were competing – and excelling – in global exploit hacking contests2 and bug bounty programs3 to identify weak spots in Western products.

As this ecosystem has evolved, the Chinese state moved to harness the vulnerability research for national priorities through both formal and informal channels. From the top down, it imposed institutional mechanisms such as direct oversight of researchers and regulations that mandate or incentivize reporting to state-run entities. From the bottom up, informal networks among prominent researchers, who exchange insights and acquisition o…

Butian Vulnerability Platform: Forging China's Next Generation of White Hat Hackers

Natto Team — Wed, 25 Jun 2025 16:01:18 GMT

In our previous posting, Natto Thoughts pointed out the Chinese cyberdefense mindset that, in order to protect one's own business or country, one needs to develop offensive skills. In other postings, the Natto Team has profiled various institutes, cyber ranges, vulnerability research labs, and hacking competitions that companies sponsor in order to nurture China's defensive talent through "attack-defense live-fire exercises" (攻防实战演习) and other offensive skills. One prominent entity that brings these all together and has helped set the standard for this type of training is the Butian (or Bu Tian) Vulnerability Response Platform (补天漏洞响应平台) (Butian Platform). It appears designed to coopt would-be black-hat criminal hackers and young students and mold them into socially useful white-hat hackers, training them to defend China. Along the way, they also develop skills that can be used offensively against China's enemies. The term “white hat talent” (白帽人才) has been frequently used in the Chin…

From Humble Beginnings: How a Vocational College Became a Vulnerability Powerhouse

Natto Team — Wed, 28 May 2025 16:01:52 GMT

In one of the famously leaked chat messages among members of i-SOON – the Chinese information security company allegedly linked to the AQUATIC PANDA threat group – group leader “Shutdown” declared in 2020, “People who have attack and defense live-fire capabilities do not need degrees from elite universities.” He called for recruiting talented students from less-prestigious technical or regional educational institutions. One such institution rocketed to prominence on May 16 of this year. Qingyuan Polytechnic – a vocational school from a third-tier city1 – was one of three higher education institutes honored as Outstanding Universities of the Year for Cooperation at the China National Vulnerability Database of Information Security (CNNVD)’s 2024 Annual Work Review and Outstanding Recognition Conference.2 The other recipients were Beihang University (北京航空航天大学) and Guangzhou University (广州大学), both well-known four-year universities.

At the conference, a number of prominent information securi…