Zero-Day Bugs Must be Reported to Government Within 2 Days of Discovery – New Chinese IT Law

A new rule has been passed by the Chinese government, that claims that every cybersecurity experts have to report any kind of Zero-Day vulnerability they found in software within 2 days to the government.

However, the experts have no right to sell that information, without any prior consent of the government. The “Regulations on the Management of Network Product Security Vulnerabilities” have issued this new rule and it will be applicable from September 1, 2021.

New Rules of CAC

According to the report, the new rules consist of some uncertain articles, well these new rules were issued by the Cyberspace Administration of China (CAC). 

Here, we have mentioned some important articles, that is to be followed by the cybersecurity experts:-

  • Article 4: If any organization tries to collect or sell the information, then it will be illegal to do that.
  • Article 5: As soon as the organization encounters this vulnerability they have to report it according to the order, and they also have to keep records for at least six months.
  • Article 7, (2): According to the orders, the organization must report the vulnerability with the Ministry of Industry and Information Technology (MIIT) within two days.
  • Article 7, (3): All those who will report the vulnerability in time they will be given a reward mechanism for reporting the bug.
  • Article 9, (1): The cybersecurity experts can’t disclose any details regarding the vulnerability, before patching it. But, if there is an exception then the vendors need to take MIIT’s approval.
  • Article 9, (3): The researchers were prevented from expanding risks that are linked with security flaws or using a vulnerability to extract vendors.
  • Article 9, (4): Prevents the publication of applications and tools to exploit vulnerabilities and set networks at danger.
  • Article 9, (7): The experts cant disclose the vulnerability details to “abroad organizations or individuals other than network product providers.”
  • Article 10: The operators have to register their encountered vulnerability with the MIIT, according to the orders.

Industry Experts Are Worried About The New Rules

Disclosing this vulnerability can lead to penalties, threatening law enforcement consequences through the Ministry of Public Safety. 

Apart from this the Chairman of the Silverado Policy Accelerator, Dmitri Alperovitch explained the obligation to report all the details regarding the vulnerability to the MIIT within two days of the strike, and it is the most troubling part of the law.

The industries also have to follow these rules, and if they did not follow them then they have to face penalties. However, this new set of rules will be applicable from September 1st, 2021, as we said above.

The report claims that all these new sets of rules are part of a combined Beijing effort to sustain the country’s cybersecurity posture. 

Apart from this, we all know that China has steadily hardened its authority over information and computer security over the past two decades, to circumvent any kind of risk.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.