Companies and security researchers operating in China that identify either software or hardware vulnerabilities will need to tell Beijing the precise details of the bugs within two days of their being found, according to new national security rules coming into force from September 1, which also warn against those who “illegally collect, sell, or publish information on network product security vulnerabilities” (i.e. 0days).
The move looks likely to hurt China’s lively community of security researchers, many of whom are prominent in international bug bounty programmes. (The rules let them disclose bugs to foreign vendors, but not to to “provide undisclosed network product security vulnerability information to overseas organizations or individuals other than network product providers”, which may preclude things like Pwn2Own competitions).
The rules were published by the Cyberspace Administration of China (CAC) on July 13, 2021 on behalf of the Ministry of Public Security and Ministry of Industry and Information Technology. All “network product (including hardware and software) providers and network operators within the territory of the People’s Republic of China, as well as organizations or individuals engaged in the discovery, collection, and release of network product security vulnerabilities, shall abide by these regulations” the edict emphasises.
“The content of the submission [to Beijing] should include the product name, model, version, and the technical characteristics, harm, and scope of the vulnerability that have security loopholes in network products”, the Chinese language update said* (Google Translate/The Stack). Those failing to do so will be dealt with under Article 60 of the country’s 2017 cybersecurity law. (This would result in fines of between RMB 50,000 (~£5,000) and 500,000 (~£50,000) according to earlier translations of that legislation).
When almost certain outcome of the new laws are that the Chinese government will know about new security vulnerabilities in the products of western vendors before they do — or certainly before they are able to patch. With the country widely considered to be an aggressive actor in global cyber-espionage and with the recent exploitation of Microsoft Exchange servers attributed to a Chinese APT, policy makers and software companies will no doubt be paying close attention.