The Cyberspace Administration of China (CAC) Released a New Law Regarding vulnerability disclosure rules that mandate security researchers to disclose them first to the government authorities within two days of filing a report.
Starting September 1, 2021, the Chinese government will require that any Chinese citizen who finds a zero-day vulnerability must pass the details to the Chinese government and must not sell or give the knowledge to any third party outside of China (apart from the vulnerable product’s manufacturer).
The move looks likely to hurt China’s lively community of security researchers, many of whom are prominent in international bug bounty Programs. (The rules let them disclose bugs to foreign vendors, but not to “provide undisclosed network product security vulnerability information to overseas organizations or individuals other than network product providers”, which may preclude things like Pwn2Own competitions).
In addition to banning sales of previously unknown security weaknesses, the new rules also forbid vulnerabilities from being disclosed to “overseas organizations or individuals” other than the products’ manufacturers, while noting that the public disclosures should be simultaneously accompanied by the release of repairs or preventive measures.
The most obvious assumption is that the Chinese found zero-days will be funneled into the Chinese APT groups, and will not be made available for purchase by the NSA or Russian state actors.
Furthermore, it also prohibits the publication of programs and tools to exploit vulnerabilities and put networks at a security risk.