Saturday, October 16, 2021

China Released New Law Regarding vulnerability disclosure rules

Must Read

Firefox 88 start disabling FTP with removal set for Firefox 90

Firefox 88 update has disabled File Transfer Protocol (FTP) support completely from the browser. The handling of clicking on...

There was an average of 419 new threats per minute In Q2 2020

McAfee published a report analyzing cybercriminal activity associated with malware along with also the growth of cyber dangers from...

Chinese hacking group IndigoZebra APT Targets Afghan Government

IndigoZebra APT Targets Afghan Government With fake email and abusing Dropbox API to Mask malicious traffic.On Thursday, Check Point...

The Cyberspace Administration of China (CAC) Released a New Law Regarding vulnerability disclosure rules that mandate security researchers to disclose them first to the government authorities within two days of filing a report.

Starting September 1, 2021, the Chinese government will require that any Chinese citizen who finds a zero-day vulnerability must pass the details to the Chinese government and must not sell or give the knowledge to any third party outside of China (apart from the vulnerable product’s manufacturer).

The move looks likely to hurt China’s lively community of security researchers, many of whom are prominent in international bug bounty Programs. (The rules let them disclose bugs to foreign vendors, but not to “provide undisclosed network product security vulnerability information to overseas organizations or individuals other than network product providers”, which may preclude things like Pwn2Own competitions).

In addition to banning sales of previously unknown security weaknesses, the new rules also forbid vulnerabilities from being disclosed to “overseas organizations or individuals” other than the products’ manufacturers, while noting that the public disclosures should be simultaneously accompanied by the release of repairs or preventive measures.

The most obvious assumption is that the Chinese found zero-days will be funneled into the Chinese APT groups, and will not be made available for purchase by the NSA or Russian state actors.

Furthermore, it also prohibits the publication of programs and tools to exploit vulnerabilities and put networks at a security risk.

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Unified endpoint management automation software to boost endpoint security

Endpoints are constantly connected to the internet, so they offer a gateway for cyberattacks. Endpoint security is simply the process...

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft also revealed the workings of...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

More Articles Like This