The Cyberspace Administration of China (CAC) has issued new, more stringent vulnerability disclosure regulations that require security researchers to uncover critical vulnerabilities in computer systems to compulsorily disclose them to government authorities within two days of filing. ‘a report.
The “Network Product Security Vulnerability Management Policy“are expected to come into effect on September 1, 2021, and aim to standardize the discovery, reporting, repair and publication of security vulnerabilities and to prevent security risks.
“No organization or individual may take advantage of network product security vulnerabilities to engage in activities that endanger network security, and must not illegally collect, sell or publish information about network product security vulnerabilities “, stipulates article 4 of the regulations.
In addition to prohibiting the sale of previously unknown security vulnerabilities, the new rules also prohibit disclosure of vulnerabilities to “foreign organizations or individuals” other than product manufacturers, while noting that public disclosures should be accompanied simultaneously by publication of repairs or preventive measures.
“It is forbidden to deliberately exaggerate the damage and risk associated with the security vulnerabilities of network products, and should not use the information about the security vulnerabilities of network products to carry out malicious speculation or fraud, extortion and other illegal and criminal activities ”, Article 9 (3) of the regulation lit.
In addition, it also prohibits the release of programs and tools to exploit vulnerabilities and put networks at risk for security.