Friday, July 23, 2021

China Released New Law Regarding vulnerability disclosure rules

Must Read

Fearing drama, Mozilla opens public consultation Before Global Firefox DoH rollout

Mozilla has started now a public opinion and consultation period regarding how it might enable support for its contentious...

8 Percent of Google Play apps vulnerable to an Older security bug

Devs haven't upgraded a vital library within their programs, leaving users vulnerable to harmful attacks. A number of those...

Brave browser disables Google’s FLoC ad-tracking technology

Brave, a Chromium-based browser, has removed FLoC, Google's controversial alternative identifier to third-party cookies for tracking users across websites. Brave...

The Cyberspace Administration of China (CAC) Released a New Law Regarding vulnerability disclosure rules that mandate security researchers to disclose them first to the government authorities within two days of filing a report.

Starting September 1, 2021, the Chinese government will require that any Chinese citizen who finds a zero-day vulnerability must pass the details to the Chinese government and must not sell or give the knowledge to any third party outside of China (apart from the vulnerable product’s manufacturer).

The move looks likely to hurt China’s lively community of security researchers, many of whom are prominent in international bug bounty Programs. (The rules let them disclose bugs to foreign vendors, but not to “provide undisclosed network product security vulnerability information to overseas organizations or individuals other than network product providers”, which may preclude things like Pwn2Own competitions).

In addition to banning sales of previously unknown security weaknesses, the new rules also forbid vulnerabilities from being disclosed to “overseas organizations or individuals” other than the products’ manufacturers, while noting that the public disclosures should be simultaneously accompanied by the release of repairs or preventive measures.

The most obvious assumption is that the Chinese found zero-days will be funneled into the Chinese APT groups, and will not be made available for purchase by the NSA or Russian state actors.

Furthermore, it also prohibits the publication of programs and tools to exploit vulnerabilities and put networks at a security risk.

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

OAIC: Uber found to have interfered with the privacy of over 1.2 million Australians

The Office of the Australian Information Commissioner (OAIC) has determined that Uber Technologies, Inc. and Uber B.V. have interfered...

Over 80 US Municipalities data are exposed due to Misconfigured Amazon S3

A team of Cybersecurity researchers at Wizcase found major data exposure of Over 80 US Municipalities due to the Misconfigured Amazon S3 Bucket. This happened...

Formbook malware Upgraded as an XLoader malware to Attack macOS Systems

Researchers have spotted an upgraded malware variant of Formbook malware which is now Upgraded as an XLoader malware to Attack macOS Systems. Cybersecurity researchers on...

Millions of HP, Samsung, Xerox Printers are Vulnerable to 16 year old bug

A 16-year-old security vulnerability affects Millions of HP, Samsung, Xerox Printers Driver allows attackers to gain admin rights on systems using the vulnerable driver...

MosaicLoader malware targets cracked software via SEO poisoning

New MosaicLoader malware targets users that are searching to download cracked software. Cybercriminals run ad campaigns in search engine results to boost their malicious...

More Articles Like This