Chinese government lays out new vulnerability disclosure rules

The Chinese government has published new regulation on Tuesday laying out stricter rules for vulnerability disclosure procedures inside the country's borders.

The new rules include controversial articles, such as ones introducing restrictions to prevent security researchers from disclosing bug details before a vendor had a reasonable chance to release fixes and the mandatory disclosure of bug details to state authorities within two days of a bug report.

Issued by the Cyberspace Administration of China (CAC), the most important points in the new "Regulations on the Management of Security Vulnerabilities in Network Products," are summarized below:

• Article 4: Makes it illegal for individuals or organizations to "collect, sell, or publish information on network product security vulnerabilities."
• Article 5: Mandates that any organizations or network operators must set up to receive vulnerability reports and keep logs for at least six months.
• Article 7, (2): Vendors must share all vulnerability reports with the Ministry of Industry and Information Technology (MIIT) within two days.
• Article 7, (3): Encourages network operators and product vendors to set up a reward mechanism for reported vulnerabilities.
• Article 9, (1): Prohibits security researchers from disclosing bug details before a vendor had a reasonable chance to patch. Exceptions to go public can be negotiated with MIIT's approval.
• Article 9, (3): Prohibits researchers from exaggerating risks associated with security flaws or using a vulnerability to extort vendors.
• Article 9, (4): Prohibits the publication of programs and tools to exploit vulnerabilities and put networks at risk.
• Article 9, (7): Prohibits disclosing vulnerability details to "overseas organizations or individuals other than network product providers."
• Article 10: Mandates that all network operators and product vendors to register their vulnerability reporting platforms with the MIIT.

The new rules also warn of penalties for vendors who fail to release patches for reported vulnerabilities, organizations that collect vulnerability reports but fail to secure their platforms, and for security researchers and anyone else who abuses unpatched vulnerabilities.

New rules worry industry experts

"This appears to be a sweeping law. It codifies in law some responsible vulnerability disclosure penalties, threatening law enforcement repercussions via the Ministry of Public Safety for any researcher that does not follow the prescribed process," Dmitri Alperovitch, Chairman of the Silverado Policy Accelerator, a Washington-based cybersecurity think tank, told The Record.

Alperovitch described the requirement to report all the technical details of a vulnerability to the MIIT within two days of discovery as "the most troubling part of the law."

Katie Moussouris, founder and CEO of Luta Security and one of the pioneers of the bug bounty and vulnerability disclosure industry, also warned about this requirement.

"The biggest problem with this provision is if other countries start imposing the same requirements on security research," Moussouris said.

Notifying your local government within two days of discovering a vulnerability adds risk in aggregating unpatched vulnerability data. If the US and our partners imposed this requirement, thinking it will help prevent attacks as vendors scramble to fix vulnerabilities or fuel offensive capabilities with fresh zero-days, we will instead expose ourselves to aggregating an unprecedented treasure trove of unpatched bugs for our adversaries to attack and steal as well.

Katie Moussouris, founder and CEO of Luta Security

In addition, Moussouris also raised the issue of western-based bug bounty platforms that have been working with Chinese security researchers for the past years.

"If Western-based bug bounty platforms comply with this requirement in order to continue to legally receive bug reports from Chinese researchers, we must assume they will be required to hand over vulnerability data to the Ministry within two days of receiving the reports," Moussouris said.

"That requirement will effectively introduce a backdoor straight to the Chinese government in any VDP [vulnerability disclosure program] or bug bounty program where Chinese researchers submit bugs via platforms, even to non-Chinese companies."

New rules to enter into effect this fall

The new vulnerability disclosure regulations are set to enter into effect starting September 1, 2021.

Work on the new regulations has been underway since 2017. The provision that product vendors might need to share vulnerability details with Chinese state agencies has been known and in the public domain since at least 2020.

The new rules are part of a concerted Beijing effort to bolster the country's cybersecurity posture.

Last week, Beijing officials issued new cybersecurity laws mandating that any Chinese company that serves more than one million users must undergo a security audit before listing its shares overseas.

Recorded Future reports published in 2017 and 2018 found that the Chinese Ministry of State Security had been delaying the process of listing important bugs in public vulnerability databases and had altered some vulnerability disclosure details in past reports.