The Chinese cyber regulator Cyberspace Administration of China (CAC) has issued a new law requiring security researchers to report zero-day vulnerabilities to the government. The “Regulations on the Management of Network Product Security Vulnerability” require security researchers to mandatorily disclose critical flaws in computer systems to the government authorities within two days of filing a report.
Aim of this Law
These regulations will come into effect from 1st September 2021. They aim to standardize the discovery, reporting, repair, and release of security vulnerabilities and prevent security risks, The Hacker News reported.
Article 4 of the regulation states, “No organization or individual may take advantage of network product security vulnerabilities to engage in activities that endanger network security, and shall not illegally collect, sell or publish information on network product security vulnerabilities.”
Prohibitions under the Law
In addition to banning sales of previously unknown security weaknesses, the new rules prohibit disclosure of vulnerabilities to “overseas organizations or individuals.” The regulations exempt product manufacturers but the public disclosure has to be simultaneously accompanied by the release of repairs or preventive measures.
Article 9(3) of the regulation states, “It is not allowed to deliberately exaggerate the harm and risk of network product security vulnerabilities, and shall not use network product security vulnerability information to carry out malicious speculation or fraud, extortion, and other illegal and criminal activities.”
The law also prohibits the publication of programs and tools to exploit vulnerabilities and put networks at a security risk.