On July 12, China issued the Provisions on Network Product Security Vulnerability Management (《关于印发网络产品安全漏洞管理规定的通知》) (English translation here). The document was jointly issued by the Ministry of Industry and Information Technology, the Cyberspace Administration of China, and the Ministry of Public Security, and will take effect on September 1, 2021. The requirements and procedures for disclosing security vulnerabilities are now stricter and may have an impact on Chinese cybersecurity experts as well as foreign companies, according to some analysts.
The Provisions have 16 articles and set forth specific obligations related to verification, remediation, and notification of security vulnerabilities for three categories of entities: (1) providers of any network products, including software and hardware, (2) network operators, and (3) any entities or individuals working in the field of identification, collection, and publication of network product security vulnerabilities.
In particular, network product providers shall take remedial measures and conduct verification and assessment once a security vulnerability is identified, and notify upstream providers and downstream users. In addition, the Provisions require network product vendors to report security vulnerabilities to the MIIT Network Security Threat Information Sharing Platform within 2 days. (Article 7) Some experts described this requirement as “the most troubling” from both cybersecurity and obligation standpoints: It consolidates vulnerability data that is subject to attacks and creates more burdens on companies.
The Provisions provide for specific obligations with regard to disclosing vulnerabilities on entities or individuals that identify, collect and publish security vulnerabilities. Among other scenarios, they are prohibited from providing unpublished information about cybersecurity vulnerabilities to foreign organizations or individuals. There are concerns over how the new rules would bar Chinese researchers from benefiting from disclosing security vulnerabilities to foreign platforms, which could lead to a “brain drain” in China or fewer discovered and disclosed vulnerabilities. But there are different views. At least one American cybersecurity expert believes that the law “doesn’t prevent researchers from telling the products’ companies, even if they are outside of China” because it only bars “cyber-arms trade.”
In addition, entities or individuals that discover security vulnerabilities shall not publish, unless approved by relevant agencies, such information before product providers take remedial measures, or use such information to conduct malicious hype, fraud, blackmail, or other illegal activities. (Article 9) In the past, it was a grey area in China where researchers used discovered loopholes for blackmailing or trading purposes. These new rules aim at providing guidance for “white hats,” who are ethical computer hackers. The Provisions also prohibit any disclosure about security vulnerabilities during major state events without the authorization of the Ministry of Public Security. (Article 9)
Network operators also have the obligation to take remedial measures once discovering a vulnerability, according to the Provisions. (Article 8)
The Provisions prohibit any entity or individual from using the network product security loopholes to endanger network security; illegally collecting, selling, or publishing information on network product security vulnerabilities; or providing technical support, advertising promotion, payment settlement, etc to anyone who endangers network security by taking advantage of security vulnerabilities. (Article 4) This raises speculation that private researchers in the field could potentially be banned, although it is unclear if there are any in China. The new rule also encourages any organizations and individuals to report security vulnerabilities (Article 6), making the status of private researchers even more unclear.
The Provisions also provide for an obligation for network products providers, network operators, and platforms for the collection of security vulnerabilities to create channels for receiving information on security vulnerabilities and keep the record for at least 6 months. (Article 5)
All entities or individuals shall register their vulnerability collecting platform with the MIIT and are encouraged to share information with the state platforms. (Article 10)
Any violation of these obligations set forth in the Provisions will be punished under the Cybersecurity Law. (Article 12-15)
The drafting of the Provisions started in 2019. The draft version of the Provisions was issued in June 2019. Compared to the draft version, the final version extends the obligations and clarifies the punishment.
Ultimately, the Provisions serve the purpose of clarifying the responsibility and obligations of relevant parties in the sector of network-related products and services, as there was some confusion in the past. Officials believe that this would help safeguard the safe operation of cyber products and systems, according to an official explainer.
Additional readings:
- Critical entities targeted in suspected Chinese cyber spying, https://apnews.com/article/government-and-politics-hacking-technology-business-7350235e07d46ba5afc1238b553ea4b9
- New Law Will Help Chinese Government Stockpile Zero-Days, https://www.securityweek.com/new-law-will-help-chinese-government-stockpile-zero-days
- Chinese government lays out new vulnerability disclosure rules, https://therecord.media/chinese-government-lays-out-new-vulnerability-disclosure-rules/