China lays down new vulnerability disclosure rules

On Tuesday, the Chinese government published new regulations which lay down new vulnerability disclosure procedures. These new rules were issued by the Cyberspace Administration of China (CAC) as the “Regulations on the Management of Security Vulnerabilities in Network Products”. It is suggested that these new rules are much more strict in nature, while also including a lot of controversial articles. This creates a whole new range of complications especially for software companies outside China since many of them work with Chinese security researchers who will be expected to comply with these new rules.

This is a problem because, if the researcher needs to disclose their findings to the Chinese ministry, the state and potentially the state-sponsored actors would gain confidential information about backdoors, etc. in foreign software products. This may potentially lead to the exclusion of Chinese security researchers and bug bounty hunters from international programs.

Highlights of the China vulnerability disclosure rules

Out of all the provisions in the new rules, there are quite a few articles that stand out upon reading the new rules. They have been summarized below:

1. Article 4 – States that it is illegal for individuals or organizations to collect, sell, or publish information on network product security vulnerabilities.
2. Article 5 – Makes it mandatory for any organization or network operator to receive vulnerability reports and keep logs for at least six months.
3. Article 7(2) – Any and all vulnerability reports must be reported to the Ministry of Industry and Information Technology (MIIT) within 2 days.
4. Article 7(3) – “encourages” vendors and operators to have a reward mechanism for reported vulnerabilities.
5. Article 9(1) – Completely restricts security researchers from disclosing any bug details before a vendor has “a reasonable chance” to patch the bug. Any exceptions to this rule to go public with the bug can be negotiated with the MIIT.
6. Article 9(3) – Prohibits researchers from exaggerating risks associated with any flaws or using vulnerabilities to extort vendors.
7. Article 9(4) – Prohibits the publication of programs that can be used to exploit security risks and vulnerabilities.
8. Article 9(7) – Prohibits the disclosure of vulnerability information to any overseas organization or individual other than network product providers.
9. Article 10 – Makes it mandatory for product vendors and network operators to register their vulnerability reporting platforms with the MIIT.

Other than the provisions mentioned above, the new rules also talk about penalties for vendors who fail to release patches for disclosed vulnerabilities, security researchers or others who exploit unpatched vulnerabilities, and organizations that collect vulnerability reports but fail to secure their platforms.

Concerns with the new vulnerablity disclosure rules

The biggest concern with such strict legislation is perfectly described by this quote given by Katie Moussouris, the CEO of Luta Security, to the Record:

“The biggest problem with this provision is if other countries start imposing the same requirements on security research,”

In this article, she goes on to say that if the rules state that the local government must be informed of any vulnerabilities within 2 days, which runs the risk of “aggregating unpatched vulnerability data”. This essentially means that all the vulnerability data aggregated in one place can act as a “treasure trove” for any threat actors. There is also the added concern that the Chinese government will have all the information of any vulnerabilities with foreign products that work with Chinese security researchers.

It is a known fact that China has state-sponsored threat actors like Winnti at their disposal. There are even reports from previous years which explicitly show that the Chinese government delaying the process of listing vulnerabilities into the databases and even altering some details from previous reports. In lieu of all this information, the new rules raise a lot of red flags for security researchers from around the world, as well as put Chinese security researchers at a major disadvantage.

These rules will officially come into force on September 1^st, 2021. The rules will have jurisdiction over all provinces and autonomous regions, and municipalities in China. Therefore, any and all software developed within the borders of China will be expected to conform to these new rules.