This new policy effectively puts all private and educational security research directly under the supervision of China’s MIIT. Notably, 0-day discoveries will be disclosed to MIIT and potentially funneled to state sponsored threat groups, giving China’s government a head start in exploiting vulnerabilities before they are publicly disclosed. In addition, security research collaboration is curtailed between all private Chinese researchers and Western organizations. Government researchers and private researchers will be unable collaborate in finding vulnerabilities or creating vulnerability management tools. If they have not been already updated, threat models need to be revised to include nation state actors employing 0-day vulnerabilities in mass campaigns. These groups include both Chinese as well as other highly skilled state sponsored actors from a number of additional countries. This change in policy emphasizes the importance of being proactive in detecting security threats by not only monitoring alarms generated by security products, but also investigating any unusual or anomalous activity that could be caused by exploitation of unknown vulnerabilities. Binary Defense offers SOC monitoring and Threat Hunting services to help organizations defend their systems from intrusions.

https://therecord.media/chinese-government-lays-out-new-vulnerability-disclosure-rules/