Butian Vulnerability Platform: Forging China's Next Generation of White Hat Hackers
From 'Trouser Belt Project' to 'Patching the Sky': Qi An Xin’s Butian platform serves as cradle for nurturing new talent and smelter for refining seasoned hackers’ skills
In our previous posting, Natto Thoughts pointed out the Chinese cyberdefense mindset that, in order to protect one's own business or country, one needs to develop offensive skills. In other postings, the Natto Team has profiled various institutes, cyber ranges, vulnerability research labs, and hacking competitions that companies sponsor in order to nurture China's defensive talent through "attack-defense live-fire exercises" (攻防实战演习) and other offensive skills. One prominent entity that brings these all together and has helped set the standard for this type of training is the Butian (or Bu Tian) Vulnerability Response Platform (补天漏洞响应平台) (Butian Platform). It appears designed to coopt would-be black-hat criminal hackers and young students and mold them into socially useful white-hat hackers, training them to defend China. Along the way, they also develop skills that can be used offensively against China's enemies. The term “white hat talent” (白帽人才) has been frequently used in the Chinese cybersecurity industry and by Chinese official media to describe this group of young, passionate and technologically enthusiastic hackers.
Founded in 2013 by Qihoo 360, China's leading information security company, as a non-profit crowdsourced bug bounty program, the Butian Platform is now a core business of Qi An Xin, a spin-off from Qihoo 360 established in 2019 to focus on government contracts within China. The Butian Platform has developed a comprehensive vulnerability response system that covers web applications, mobile applications, Internet of Things (IoT), industrial control systems, operating systems, and artificial intelligence (AI). According to a report published by Leiphone, a Chinese technology-focused media outlet, the platform is one of the few third-party vulnerability management entities in China capable of managing vulnerabilities across all these domains. Additionally, the Butian Platform is among the four partners of the China National Vulnerability Database (CNVD) providing vulnerabilities to CNVD.1
The Butian Platform proudly identifies itself as the largest vulnerability response platform in China, boasting over 153,000 registered “white hat experts” and more than 2 million reported vulnerabilities as of June 2025. In March 2025, the platform significantly increased its bug bounty payouts, particularly in the domains of artificial intelligence (AI) and AI agents, to address the emerging challenges posed by increasingly popular AI tools. Chinese media have referred to the Butian Platform as “a smelter to forge white hat talent in the age of AI.”
The evolution of the Butian Platform highlights the growing importance of China's crowdsourced bug bounty platforms and vulnerability testing services as key spaces for training vulnerability-mining experts and developing their “attack and defense live-fire capabilities” (攻防实战能力), a term that refers to practical skills for using offensive tools and techniques.2
Butian Platform Offers More Than Just a Bug Bounty Program
Butian (补天) in Chinese means “patching the sky.” The name of the Butian Platform originates from the Chinese mythological story of NüWa, the sky-patching goddess (女娲补天). According to the tale, NüWa collected five colored stones from a riverbed, melted them, and used them to repair the sky, saving humanity from disastrous wildfires and floods. NüWa symbolizes the power of creation and restoration. Statues of NüWa can be found in several cities in China. Additionally, a NüWa statue created by a Chinese artist has been dedicated to the United Nations Environment Program and displayed internationally.
In an interview, a representative of the Butian Platform revealed that the program was originally named the “Trouser Belt Project,” symbolizing the act of “tightening the trouser belt to protect vital parts.” The name was later changed to “Butian” (Patching the Sky) as it sounded more refined. In line with the NüWa narrative, the platform adopted the tagline: “If there is a gap in the sky, NüWa patches it up; if there is a vulnerability in the software, Butian remedies it” (天有隙,娲补天;软件有漏洞,补天来补救).
Currently, the Butian Platform offers four main services: a non-profit bug bounty program, an enterprise-sponsored bug bounty program, a crowdsourced vulnerability discovery and penetration testing service, and a vulnerability threat intelligence service. It also organizes various initiatives, including the Qi An Xin attack-defense community online forum (奇安信攻防社区), the Butian White Hat Conference, the Butian Cup Hacking Competition, the Butian city talk series, and outreach programs targeting colleges. These events and programs form the foundation of the Butian Platform's efforts to secure a steady pipeline of cybersecurity talent.
The shortage of cybersecurity professionals, particularly those with practical attack-and-defense skills, remains a critical issue. According to the 2022 White Paper on the Live-Fire Capabilities of Cybersecurity Talents: Attack and Defense Live-Fire Capability Edition,3 issued by the Chinese Ministry of Education, China faces a cybersecurity talent gap projected to reach 3.27 million by 2027. Meanwhile, colleges and universities currently train only around 30,000 students annually. Recognizing this challenge, the leaders of the Butian Platform and its parent company, Qi An Xin, have clearly strategized their approach to address this pressing issue effectively.
Butian Platform’s Talent Training Program and the “Building a White Hat Elite Growth System”
The Butian Platform, recognized as the largest vulnerability response platform in China, has developed a comprehensive talent training program specifically targeting college and university students. This program takes advantage of Qi An Xin’s nationwide network of five offline branches dedicated to community technical exchange, draws on its pool of elite mentors, and collaborates with its extensive customer base to enhance students' skills while also expanding their employment opportunities. According to Bai Jian, the head of the Butian Platform, the program's ultimate aim is to “create a closed loop of cybersecurity talent development, built upon a synergistic partnership between bug bounty platforms, universities, and enterprises. This approach seeks to continually supply fresh cybersecurity talent to society while fostering the sustainable and healthy growth of the cybersecurity talent ecosystem.”
To achieve this goal, the Butian Platform has developed a comprehensive “Building a White Hat Elite Growth System.” This system aims to create a practical learning environment, establish a mentorship network, and integrate theoretical knowledge with hands-on skills. The growth system leverages the platform’s existing programs, such as forums and technical sharing seminars, and incorporates projects to guide participants from the “newcomer” stage to the “cybersecurity expert” stage through six distinct phases. Each phase includes specific activities and programs, allowing white hat hackers to earn points and certificates as they progress toward expert status (see chart below). For example, during the advanced phase, participants qualify to engage in crowdsourced security testing projects (众测项目), take part in live-fire attack and defense drills, join Butian’s competitive hacking teams, and share expertise with fellow elite members at specialized events. Completing these activities grants participants an honorary certificate and enables them to advance to the elite stage.
Butian Platform’s Talent Training Focuses on Live-Fire Capabilities
The Butian Platform’s talent training efforts have fostered a vibrant white hat community, widely appreciated for its focus on enhancing live-fire capabilities.4 In the Chinese cybersecurity industry, many believe a popular saying: "A hundred network security lectures are not as effective as one hands-on attack," emphasizing that live-fire (practical) expertise is best developed through real cyber combat. An industry insider shared this insight during the Butian Platform’s 10th anniversary celebration in March 2023.
In 2021, the Butian Platform introduced the "Live-Fire Capability Map for White Hat Talent" (实战化白帽子能力图谱) as a reference standard for training white hat hackers (see below). The first of its kind in China, the map categorizes capabilities into three tiers: basic, advanced, and expert, progressing from foundational skills to highly specialized expertise.
Basic capabilities encompass essential skills like web vulnerability exploitation and proficiency with security tools such as Burp Suite, Nmap, and Wireshark. Building on these foundations, advanced capabilities include web vulnerability discovery, programming languages (Java, PHP, Python, etc.), PoC/EXP development, and social engineering techniques. Expert capabilities represent the pinnacle of training, covering topics such as system-level vulnerability research, reverse engineering, tool weaponization, CPU instruction sets, advanced penetration testing, and collaborative team operations for complex tasks.
Despite Butian’s Efforts, the Lure of the Black-Hat Criminal Underground Remains
The Butian Platform takes pride in attracting thousands of white hat hackers to its platform. The company credits its operational concept and high bug bounty payouts as key factors in this success. The platform also emphasizes its commitment to protecting both the white hat hackers and the businesses in whose products they find vulnerabilities, by not disclosing vulnerabilities that are reported until the vulnerable businesses have patched them, thereby avoiding potential conflicts between the two parties. Additionally, the Butian Platform offers the highest cash rewards in the industry within China. Their rationale is that a generous reward not only acknowledges the value of white hat hackers but also motivates them to perform better.
Despite these efforts, the underground market for vulnerabilities can offer prices that are 10 to 100 times higher than the rewards provided by the Butian Platform. Such temptations pose a significant challenge. On various occasions, the management of the Butian Platform and its parent company, Qi An Xin, have discussed the issue of how to induce white hat hackers to submit vulnerabilities to the Butian Platform rather than selling vulnerabilities to the black market for greater financial gain. This lure of the black market highlights how easily white hats could transition to black hats.
Qi Xiangdong, founder and chairman of Qi An Xin, explained in a 2017 interview with China Daily, an official state media outlet, that bug bounty platforms like the Butian Platform serve as a bridge connecting businesses with white hats:
"In terms of technical skills, there is no essential difference between 'white hats' and malicious hackers, which means without a good communication channel between corporations and 'white hats,' corporations may find it tricky to tell whether the attacks suffered by their computer systems are ethically motivated or maliciously intended."
In other words, platforms like his provide structured crowd-sourced penetration testing that both enhances companies’ security and gives hackers an incentive to apply their skills in socially useful way. In a separate interview in 2023, Tian Peng, the lead of the Butian Platform, further elaborated on this idea, explaining that bridging the gap between businesses and white hat hackers helps minimize misunderstandings and guides white hats toward engaging in “meaningful” work.
What constitutes "meaningful" work may differ depending on perspectives. However, one certainty remains: hackers with live-fire capabilities are highly sought after, selling like hot cakes, and everyone seems to want their expertise.
The CNVD is run by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC). The CNVD, along with the China National Vulnerability Database of Information Security (CNNVD) and CNCERT, has a variety of technical support relationships with cybersecurity companies. The CNNVD, for example, has 332 entities qualifying as CNNVD technical support units, including Qingyuan Polytechnic Institute, which the Natto Team profiled here. For other examples, see the chart here. For details of CNVD and CNNVD see Dakota Cary and Kristin Del Rosso ‘s report Sleight of hand: How China weaponizes software vulnerabilities.
According to “White paper on the Live-Fire Capabilities of Cybersecurity Talents: Attack and Defense Live-Fire Capability Edition,” published by the Chinese Ministry of Education in 2022, “attack and defense live-fire capabilities” encompass the following: the ability to use cybersecurity technologies and tools to carry out security monitoring and analysis; risk assessment; penetration test event research and judgment [i.e. evaluation]; security operations and maintenance, and emergency response in real business environments.
Natto Thoughts discussed the book in more detail in “i-SOON: “Significant Superpower” or Just Getting the Job Done?
For more on “live-fire” training, see the Natto Thoughts postings about i-SOON, Qinyuan Polytechnic and cyber ranges