China’s New Law Requires Researchers to Report All Zero-Day Bugs to Government

News

The Cyberspace Administration of China (CAC) has issued new stricter vulnerability disclosures regulations that mandate security researchers uncovering critical flaws in computer systems to mandatorily disclose them first-hand to the government authorities within two days of filing a report.

The “Regulations on the Management of Network Product Security Vulnerability” are expected to go into effect starting September 1, 2021, and aim to standardize the discovery, reporting, repair, and release of security vulnerabilities and prevent security risks.

Stack Overflow Teams

“No organization or individual may take advantage of network product security vulnerabilities to engage in activities that endanger network security, and shall not illegally collect, sell or publish information on network product security vulnerabilities,” Article 4 of the regulation states.

In addition to banning sales of previously unknown security weaknesses, the new rules also forbid vulnerabilities from being disclosed to “overseas organizations or individuals” other than the products’ manufacturers, while noting that the public disclosures should be simultaneously accompanied by the release of repairs or preventive measures.

“It is not allowed to deliberately exaggerate the harm and risk of network product security vulnerabilities, and shall not use network product security vulnerability information to carry out malicious speculation or fraud, extortion and other illegal and criminal activities,” Article 9 (3) of the regulation reads.

Furthermore, it also prohibits the publication of programs and tools to exploit vulnerabilities and put networks at a security risk.

Products You May Like

Articles You May Like

GodLoader Malware Infects Thousands via Game Development Tools
UK Justice System Failing Cybercrime Victims, Cyber Helpline Finds
Wanted Russian Hacker Linked to Hive and LockBit Ransomware Arrested
AI-Powered Fake News Campaign Targets Western Support for Ukraine and U.S. Elections
The Future of Serverless Security in 2025: From Logs to Runtime Protection

Leave a Reply

Your email address will not be published. Required fields are marked *