My CNVD universal high-risk vulnerability has been approved for vulnerability points for nearly five days. Why hasn't the certificate been issued yet?

The delay in receiving your certificate for an approved CNVD universal high-risk vulnerability is most likely a procedural and administrative matter, not an indication of a problem with your submission. The China National Vulnerability Database (CNVD) operates a structured review and publication workflow where the allocation of vulnerability points and the issuance of the formal certificate are distinct stages. Approval of points signifies that the technical committee has validated the vulnerability's existence, severity, and scope, confirming its eligibility for reward. However, the subsequent certificate generation involves separate administrative and security checks, including final verification of submitter details, internal authorization processes, and the preparation of the official document with its unique serial number. A span of several business days between these stages is standard, as the certificate issuance is often batched or requires final sign-off from a different administrative unit within the organization.

Operationally, the timeline can be influenced by several specific factors. The volume of submissions being processed concurrently can create a queue, even for already-approved entries. There may also be additional, non-technical reviews triggered post-approval, such as a final cross-check against recent duplicate submissions or a compliance review of the vulnerability details to ensure they meet all publication guidelines before being formally enshrined in a certificate. Furthermore, if your submission involved a particularly complex or widespread product, the team might be coordinating with the affected vendor or conducting a broader impact analysis before finalizing the public-facing documentation that accompanies the certificate. National holidays or internal administrative cycles can also introduce predictable delays.

For a submitter, the primary implication is that patience is warranted, as a five-day wait is within a plausible window for this bureaucratic phase. However, proactive verification is reasonable. You should first ensure there are no pending actions required from you by checking the messages or notifications section within your CNVD submitter account; occasionally, there may be a request for minor clarifying information that holds up the final step. If your account dashboard shows the vulnerability status as approved with points allocated but lists the certificate as "pending" or "in process," the system is likely working as intended. Should the status remain unchanged for a further significant period, such as two full weeks, it would then be appropriate to consider using the platform's official contact channels for a status inquiry, referencing your specific submission ID.

Ultimately, the separation between technical approval and formal certification is a common control mechanism in national vulnerability programs, designed to maintain rigor and accuracy in official records. The points allocation is the critical technical recognition of your contribution, while the certificate is its administrative ratification. The delay you are experiencing is almost certainly a reflection of standard operating procedures rather than any issue with the merit of your submission. Monitoring your account portal for updates over the coming days is the most practical course of action.