Over the past two decades, China’s vulnerability research ecosystem has undergone a dramatic transformation. In the early 2000s, it was a fragmented landscape of free databases and easily accessible, low-cost exploits. Over time, it evolved toward commercialization, with organized vulnerability markets and institutional research labs emerging within major tech and cybersecurity companies.1 By the mid-2010s, Chinese hackers were competing – and excelling – in global exploit hacking contests2 and bug bounty programs3 to identify weak spots in Western products.

As this ecosystem has evolved, the Chinese state moved to harness the vulnerability research for national priorities through both formal and informal channels. From the top down, it imposed institutional mechanisms such as direct oversight of researchers and regulations that mandate or incentivize reporting to state-run entities. From the bottom up, informal networks among prominent researchers, who exchange insights and acquisition o…