China’s new vulnerability disclosure rules go into effect

Under the new rules by the Cyberspace Administration of China, zero-day vulnerabilities must be disclosed to the government, which will decide what repairs to make. No one in China may ‘collect, sell or publish information on network product security vulnerabilities’ and this information cannot be given to ‘overseas organisations or individuals’ other than the product’s manufacturer. It means that private sector experts won’t be able to sell the zero-day weaknesses they find.

Experts commented that this might lead to Chinese found zero days being passed to Chinese ATP groups. Further, it is not certain that the Chinese government will inform the manufacturer about the vulnerabilities in their products. Finally, it is not certain if the rules will ban the participation of Chinese nationals in bug bounty programmes or pwn2own competitions, which could lead to a smaller number of discovered vulnerabilities.