China Introduced New Rules for Software Vulnerability Disclosure

• The Chinese state introduces new software vulnerability disclosure rules in the form of a sweeping new law.
• The new guidelines require that bug bounty hunters will not use or sell or hoard flaws for profit or harm.
• All identified flaws must be reported to the public after they have been fixed, and reported to the state within two days after their discovery.

The Chinese Ministry of Industry and Information Technology has presented a set of new regulations that will underpin software and network product security vulnerability disclosure procedures. The new rules will come into force on September 1, 2021, and cover all provinces, autonomous regions, and municipalities of China, so every piece of software developed in the Asian superpower will be expected to comply.

In summary, the new regulations dictate the following:

• Article 3 – The entity responsible for overseeing the vulnerability management procedures from now on will be the National Internet Information Office. The Ministry of Public Security will also supervise in order to deal with cases of law violation.
• Article 4 – Using, publishing, or selling knowledge about software flaws to engage in security-compromising activities of any kind is forbidden.
• Article 5 – Network operators and software service providers must set up security reporting platforms and keep tip reception logs for at least six months.
• Article 6 – If a security loophole is found in a product, the organizations or individuals using it are encouraged to notify the product provider.
• Article 7 – Network product providers are now expected to patch any identified or reported flaws in a timely manner. They are given two days to report vulnerabilities to the Ministry, and are also obliged to notify users who may have been affected and support them.
• Article 9 – Bug bounty hunters and organizations engaging in the field are expected to publish all vulnerabilities they find on channels where society has access. This should not happen before the process of fixing the flaws has been completed. Moreover, when publishing the flaws, researchers are also expected to issue preventive measures, mitigations, and fixing advice. During periods of major events held by the state, no vulnerabilities should be disclosed.
• Article 10 – All vulnerability collection platforms and organizations must register themselves as such to the Ministry.

The rest of the articles describe what happens in the cases of failure to comply with the above, and it’s clear that the state will not shy from punishing deviations from the context of the “Cybersecurity Law of the People’s Republic of China,” which now encompasses the vulnerability disclosure rules.

The new rules create a host of complications even for software companies outside of China, as many of them work with Chinese researchers who are covered by the new law. If these researchers were to disclose their findings to the Chinese Ministry, the state and potentially the actors it sponsors would get to learn about valuable backdoors in foreign products. This can’t work out in any way within the new legal context, so essentially, all Chinese bug bounty hunters are about to be excluded from international programs.

Offensive security expert and influential hacker John Jackson has shared the following comment with us on the above rules: