From Humble Beginnings: How a Vocational College Became a Vulnerability Powerhouse
Qingyuan Polytechnic's focus on vulnerability studies highlights China's continued efforts in gathering vulnerability resources
In one of the famously leaked chat messages among members of i-SOON – the Chinese information security company allegedly linked to the AQUATIC PANDA threat group – group leader “Shutdown” declared in 2020, “People who have attack and defense live-fire capabilities do not need degrees from elite universities.” He called for recruiting talented students from less-prestigious technical or regional educational institutions. One such institution rocketed to prominence on May 16 of this year. Qingyuan Polytechnic – a vocational school from a third-tier city1 – was one of three higher education institutes honored as Outstanding Universities of the Year for Cooperation at the China National Vulnerability Database of Information Security (CNNVD)’s 2024 Annual Work Review and Outstanding Recognition Conference.2 The other recipients were Beihang University (北京航空航天大学) and Guangzhou University (广州大学), both well-known four-year universities.
At the conference, a number of prominent information security companies, such as 360 Digital Security Technology Group, Topsec Group and Beijing Cyber Kunlun, garnered awards in the Outstanding Technical Support category. Although it did not win an award in this category, Qingyuan Polytechnic does have the distinction of being one of only two higher education institutions among the 332 entities qualifying as CNNVD technical support units.3 Qingyuan Polytechnic has been part of the program since 2023. These technical support units, as indicated by CNNVD, are mostly "information security vendors, software and hardware vendors, and Internet companies,” and are recognized as contributing to “the improvement of capabilities for the discovery, analysis, and processing of major vulnerabilities and security incidents.”
Following the award, Qingyuan Polytechnic received significant media attention due to its rare status as a vocational college from the less-developed mountainous region of Northern Guangdong Province. In this post, the Natto Team will explore how Qingyuan Polytechnic emerged as a top institution in vulnerability discovery, reporting, and analysis, what practices set it apart, and what implications this has for China's overall capability in the process of managing vulnerabilities.
Where is Qingyuan?
To understand Qingyuan Polytechnic, first let’s locate it on the map. Qingyuan Polytechnic is situated in Qingyuan, a third-tier city in the mountainous region of northern Guangdong Province, approximately 50 miles (80 kilometers) from the provincial capital, Guangzhou. Despite Guangdong Province's leading position in China’s gross domestic product (GDP) for 36 consecutive years, Qingyuan lags behind other cities in the province in terms of economic development. According to its 2023 GDP data, Qingyuan’s GDP per capita is below the national average. However, like other cities in the province, Qingyuan has been actively striving for economic growth in various sectors, such as the manufacturing industry. For instance, Vital Technology (先导科技集团有限公司), a prominent company first established in Qingyuan and a manufacturer of critical metals, was listed on the 2024 Fortune China 500 and contributes nearly 8 percent of Qingyuan’s GDP. (On a side note: the Natto Team discovered that Vital Technology allegedly continues supplying key chemicals for Russian missiles and “has amassed a large stockpile of critical minerals, including those used in electronics, batteries, and renewable energy technologies” since 2020. We would like to explore this more in the future).
In the higher education sector, Qingyuan hosts three colleges, all of which are vocational institutions. Among them, Qingyuan Polytechnic stands out as a model vocational college in the province.
How did Qingyuan Polytechnic Become a Top Vulnerability Research and Discovery College?
The vulnerability research and discovery capability of Qingyuan Polytechnic is likely built upon the effort of the college administration, the academic ambition of a few professors and lecturers, and the career prospects for students after graduation.
The administration of Qingyuan Polytechnic has strived to boost the college’s computer network technology study as a flagship major for years and has seen positive results in its academic recognition and graduates’ employment rate. Qingyuan Polytechnic’s Computer Network Technology major is within its School of Information Technology and Creative Design and is classified as a provincial second-tier brand major, which denotes top-quality majors at the provincial level. It offers two-year and three-year degree programs. In 2023, the major had 42 graduates with a two-year degree and 116 with a three-year degree, with 98.76% of graduates securing employment opportunities, significantly higher than the national-level employment rate for vocational college graduates, which stands at 55% to 60%. The computer network technology major has two study concentrations: computer network installation and maintenance, and computer network information security. Both are ranked as key professional majors of Qingyuan Polytechnic, indicating the college likely allocates more funding to these majors than to others.
Qingyuan Polytechnic stated that faculty members of the network information security major have implemented a series of “innovative initiatives” to “align vocational education with actual skill demands (in web security).” For example, the teaching method employed by the faculty is an “integrated live-fire training (战训一体)” model which “connects the teaching process and production process.” (For more on “live-fire” training, see the aforementioned posting about i-SOON and this Natto Thoughts report). The “production process” in this context implies that students can discover vulnerabilities during classroom teaching time. The college notes that students often use “certificates of vulnerability discovery” (public acknowledgment for those who successfully report valid vulnerabilities to CNNVD) instead of other qualification certificates to “secure career opportunities.”
Several professors specializing in network information security have participated in provincially funded technology projects, published academic studies and textbooks, and conducted outreach to promote the “integration of industry and education.” One example is Guo Xiquan (郭锡泉), an associate professor and deputy dean of the School of Information Technology and Creative Design. Guo led a project that published the textbook Web Application Vulnerability and Security Audit in August 2021. Later, the school submitted the volume for consideration as a recommended textbook for the national vocational education model textbooks. Guo also participated in provincial education department research projects, such as “research on the industrialization of intrusion detection systems based on new generation networks” (基于新一代网络的入侵检测系统产业化研究). Additionally, Guo led the vulnerability research team of the school, discovering several hundreds of 0-day vulnerabilities, and guided students in vocational skills competitions, such as computer network application competitions, winning several first prizes according to Guo’s professional bio.
Bright Students in CTF Competition
It appears that dedicated professors at Qingyuan Polytechnic have nurtured talented graduates. The School of Information Technology and Creative Design promotes "network information security technology for innovation and entrepreneurship," with alumnus Chen Xiangxi (陈香锡), a 2017 graduate, standing out as an exceptional example. At a school event, Professor Guo Xiquan highlighted how Chen "utilized his professional knowledge and incorporated innovative thinking to achieve significant breakthroughs in vulnerability discovery and generate substantial income, thereby realizing his self-worth," as stated in a school news report in March 2018.
Further research by the Natto Team revealed that Chen Xiangxi's achievements are indeed noteworthy. He is not only a skilled hacker but also an entrepreneur, as described by his professor. Chen identifies himself as an expert in security detection and penetration testing.
In 2008, Chen, known by the persona "akast" and likely a middle school student at that time, co-founded the SAINTSEC team. This team claimed that it is “more than just a CTF team,” an acronym referring to capture-the-flag hacking competitions; it is “also a place for geeks and hackers to meet and discuss various security technologies,” according to one of the team introductions.
In 2014, during his freshman year at Qingyuan Polytechnic, Chen and his teammates founded Guangzhou Shenghui Information Technology Company (广州市圣辉信息技术有限公司), also known as Saint Security, which operates under the domain "saintsec.com." An archived company “About” page from April 2016 stated that the SAINTSEC team had been providing cybersecurity technical services since 2008. Team members had discovered dozens of novel (0-day) vulnerabilities, receiving recognition from CNVD (China National Vulnerability Database)4 and CNNVD. Most of these were high-risk vulnerabilities.
The Natto Team discovered that between September 26, 2016, and October 16, 2016, Guangzhou Shenghui reported a total of six 0-day vulnerabilities, according to records from the CNVD Weekly Vulnerability Report. The company’s “About” page also stated that the company served various clients, including government entities such as the Hunan Provincial Public Security Bureau and the Guangdong Provincial Public Security Bureau.
As an alumnus, Chen Xiangxi has attracted many information security students from Qingyuan Polytechnic to join the SAINTSEC team. The team claims that their experience with SAINTSEC has helped these students secure positions at major cybersecurity firms.
Additionally, SAINTSEC has actively participated in hacking competitions across China,5 winning numerous prizes in the following competitions:
The 2nd Red Hat Cup Cybersecurity Competition (2018)
The 4th Guangdong “Qiangwang Cup” (“强网杯”) (November 2021)
Real World CTF (2022)
Yangchen Cup Cybersecurity Competition College Group (2022)
Interestingly, the website of Guangzhou Shenghui (Saint Security) is no longer accessible. However, the SAINTSEC team remains active and continues to thrive.
CNNVD Including Universities in its Support Units Means…
The achievements of Qingyuan Polytechnic in vulnerability research and discovery are noteworthy. Vocational colleges commonly emphasize practical skills to enhance students' employment prospects. Qingyuan Polytechnic has recognized that students' proficiency in vulnerability research and discovery is a highly valuable practical skill. As mentioned above, the Natto Team’s previous research regarding i-SOON, the Chinese information security company allegedly linked to the AQUATIC PANDA threat group, highlighted this demand. i-SOON adopted an alternative approach to recruit talent by welcoming candidates without bachelor's degrees. According to i-SOON's CEO Shutdown, employees with "attack and defense live-fire capabilities" do not require a four-year degree as long as “they know how to do [the work].” This cost-effective strategy focused on recruiting students from technical or regional educational institutions that are less prestigious, thereby sustaining the business for i-SOON. Clearly, vocational schools like Qingyuan Polytechnic have adapted their talent training programs to meet market demand.
Furthermore, vocational schools are incentivized to deepen their studies in vulnerability research when CNNVD collaborates with and includes them in its technical support program. Specifically, the public acknowledgment certificates of vulnerability discovery from CNNVD can significantly enhance students' future employment opportunities, thereby increasing students' interest in vulnerability discovery and exploitation. This win-win strategy benefits both the Chinese government and vocational schools.
In 2024, Qingyuan Polytechnic contributed over 80 high risk vulnerabilities to CNNVD, which is more than double the annual submission requirement for a top-tier technical support unit. This indicates that the faculty and students at Qingyuan Polytechnic possess vulnerability research and discovery capabilities competitive with those of leading information security companies.
As Qingyuan Polytechnic proudly announced its unique status as the only vocational college honored with CNNVD’s cooperation award and selected as a technical support unit, it is expected that more colleges will strive to earn this distinction and contribute to the Chinese government's stockpile of vulnerability resources— national strategic assets.
For details of China’s city-tier classification, see this China Briefing article.
CNNVD is one of two national vulnerability databases in China. CNNVD is managed by the China Information Technology Security Evaluation Center (CNITSEC), which several research studies have reported to be associated with the Ministry of State Security's 13th Bureau.
The other university is Chengdu University of Information Technology (CUIT, 成都信息工程大学), a university known for its close ties with the Chinese military, which joined the program in March of this year.
China National Vulnerability Database (CNVD), the other state operated vulnerability database which is run by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC). For details of CNVD and CNNVD see Dakota Cary and Kristin Del Rosso ‘s report: Sleight of hand: How China weaponizes software vulnerabilities.
For more details of hacking competitions in China, see Capture the (red) flag: How hacking contests enhance China’s cyber capabilities and the China CTF Competition Tracker, written by Dakota Cary and Eugenio Benincasa.