China “Product Security Vuln. Regulations” May Silence Researchers

BACKGROUND:

As reported in the South China Morning Post (links below), China’s new “Network Product Security Vulnerabilities Regulations” require Chinese firms to report cybersecurity vulnerabilities early, but forbids both companies and independent cybersecurity researchers from disclosing vulns and weaknesses to overseas organizations.

Experts Comments

July 16, 2021
David Kennefick
Solutions Architect
Edgescan

This is a really interesting move from China. While the two-days timeframe seems short, the government's intention is likely that of holding information into a centrally managed database so the true security posture of Chinese infrastructure can be both understood and weaponised.

This looks like a Chinese strategy to hoard exploits, which is something other nations' security agencies do. This comes with risks: in 2017, the NSA developed the EternalBlue exploit, and the subsequent leak and

.....Read More

This is a really interesting move from China. While the two-days timeframe seems short, the government's intention is likely that of holding information into a centrally managed database so the true security posture of Chinese infrastructure can be both understood and weaponised.

This looks like a Chinese strategy to hoard exploits, which is something other nations' security agencies do. This comes with risks: in 2017, the NSA developed the EternalBlue exploit, and the subsequent leak and further weaponisation of EternalBlue in the form of WannaCry and NotPetya was arguably the catalyst for the recent trend in ransomware that has plagued the world since.

  Read Less
July 16, 2021
Dr. Chenxi Wang
General Partner
Rain Capital

China's new vulnerability disclosure regulations spell out stricter requirements for Internet companies, service providers, and security researchers. Internet product/service providers are now required to establish (and register with the CAC) an official vulnerability reporting procedure/platform. The regulation also mandates swift actions to validate and remediate reported vulnerabilities. These are all good measures to take to strengthen the country's cybersecurity postures. 

However, the new

.....Read More

China's new vulnerability disclosure regulations spell out stricter requirements for Internet companies, service providers, and security researchers. Internet product/service providers are now required to establish (and register with the CAC) an official vulnerability reporting procedure/platform. The regulation also mandates swift actions to validate and remediate reported vulnerabilities. These are all good measures to take to strengthen the country's cybersecurity postures. 

However, the new requirements on how security researchers should disclose vulnerabilities are a bit heavy-handed. For instance, #9 in the new regulation prohibits security researchers (those who discover security vulnerabilities) from sharing non-public vulnerability information with overseas organizations or individuals. The one exception is with the product owners. 

This particular clause is controversial, to say the least. It will limit Chinese security researchers' abilities to collaborate with their international peers. Even sharing research findings in a non-public vulnerability in a conference such as Blackhat or Defcon will be considered a violation of the law. It may potentially stifle security research in China and isolate Chinese security professionals from the International community.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.