China’s new vulnerability disclosure rules go into effect
Under the new rules by the Cyberspace Administration of China, zero-day vulnerabilities must be disclosed to the government, which will decide what repairs to make. No one in China may ‘collect, sell or publish information on network product security vulnerabilities’ and this information cannot be given to ‘overseas organisations or individuals’ other than the product’s manufacturer. It means that private sector experts won’t be able to sell the zero-day weaknesses they find.
Experts commented that this might lead to Chinese found zero days being passed to Chinese ATP groups. Further, it is not certain that the Chinese government will inform the manufacturer about the vulnerabilities in their products. Finally, it is not certain if the rules will ban the participation of Chinese nationals in bug bounty programmes or pwn2own competitions, which could lead to a smaller number of discovered vulnerabilities.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.