As reported in the South China Morning Post (links below), China’s new “Network Product Security Vulnerabilities Regulations” require Chinese firms to report cybersecurity vulnerabilities early, but forbids both companies and independent cybersecurity researchers from disclosing vulns and weaknesses to overseas organizations.
<p>This is a really interesting move from China. While the two-days timeframe seems short, the government\’s intention is likely that of holding information into a centrally managed database so the true security posture of Chinese infrastructure can be both understood and weaponised.</p>
<p>This looks like a Chinese strategy to hoard exploits, which is something other nations\’ security agencies do. This comes with risks: in 2017, the NSA developed the EternalBlue exploit, and the subsequent leak and further weaponisation of EternalBlue in the form of WannaCry and NotPetya was arguably the catalyst for the recent trend in ransomware that has plagued the world since.</p>
<p>China\’s new vulnerability disclosure regulations spell out stricter requirements for Internet companies, service providers, and security researchers. Internet product/service providers are now required to establish (and register with the CAC) an official vulnerability reporting procedure/platform. The regulation also mandates swift actions to validate and remediate reported vulnerabilities. These are all good measures to take to strengthen the country\’s cybersecurity postures. </p>
<p>However, the new requirements on how security researchers should disclose vulnerabilities are a bit heavy-handed. For instance, #9 in the new regulation prohibits security researchers (those who discover security vulnerabilities) from sharing non-public vulnerability information with overseas organizations or individuals. The one exception is with the product owners. </p>
<p>This particular clause is controversial, to say the least. It will limit Chinese security researchers\’ abilities to collaborate with their international peers. Even sharing research findings in a non-public vulnerability in a conference such as Blackhat or Defcon will be considered a violation of the law. It may potentially stifle security research in China and isolate Chinese security professionals from the International community.</p>