The Cyberspace Administration of China (CAC) has issued a new exacerbated vulnerability disclosure regulation that requires white hat hackers uncovering critical zero-day flaws in computer systems to first report them to the government authorities within two days from their discovery.
“The relevant vulnerability information should be reported to the Ministry of Industry and Information Technology’s cyber security threat and vulnerability information sharing platform within 2 days. The content of the submission should include the product name, model, version, and the technical characteristics, harm, and scope of the vulnerability that have security loopholes in network products.” reads the “Regulations on the Management of Network Product Security Vulnerability” published by CAC.
Article 4 of the regulation also prohibits individuals or organizations to illegally “collect, sell, or publish information on network product security vulnerabilities,” while Article 7 encourages network operators and product vendors to set up bug bounty programs.
Organizations or individuals are prohibited to provide undisclosed network product security vulnerability information to overseas organizations or individuals other than network product providers.
The regulations are expected to go into effect starting September 1, 2021.
The Chinese government last week issued new cybersecurity laws mandating that any Chinese company that provides services to more than one million users must be audited before listing its shares overseas.
(SecurityAffairs – hacking, Chinese Government)