The Chinese government’s Cyberspace Administration released a number of new vulnerability disclosure requirements that require companies and individuals to work more closely with the Ministry of Industrial and Information Technology (MIIT). The most notable of these include a ban on selling, collecting, or publishing vulnerabilities by private researchers, a ban on disseminating programs or tools that can “exploit vulnerabilities” or “put networks at risk,” a ban on sharing such information with any foreign entities except the affected “network product provider,” and a requirement to disclose such discoveries to MIIT within two days. The new law also includes a number of more typical disclosure and mitigation requirements, such as requiring vendors to accept vulnerability reports and issue patches.
Analyst Notes
This new policy effectively puts all private and educational security research directly under the supervision of China’s MIIT. Notably, 0-day discoveries will be disclosed to MIIT and potentially funneled to state sponsored threat groups, giving China’s government a head start in exploiting vulnerabilities before they are publicly disclosed. In addition, security research collaboration is curtailed between all private Chinese researchers and Western organizations. Government researchers and private researchers will be unable collaborate in finding vulnerabilities or creating vulnerability management tools. If they have not been already updated, threat models need to be revised to include nation state actors employing 0-day vulnerabilities in mass campaigns. These groups include both Chinese as well as other highly skilled state sponsored actors from a number of additional countries. This change in policy emphasizes the importance of being proactive in detecting security threats by not only monitoring alarms generated by security products, but also investigating any unusual or anomalous activity that could be caused by exploitation of unknown vulnerabilities. Binary Defense offers SOC monitoring and Threat Hunting services to help organizations defend their systems from intrusions.
https://therecord.media/chinese-government-lays-out-new-vulnerability-disclosure-rules/
