New Chinese Law Limits Vulnerability Reports

Do you know where your security products are tested?

One of my stories on Data Breaches and Cybersecurity

Free Content on Jobs in Cybersecurity | Sign up for the Email List

Every week I capture as many important security news articles as I can find and publish them to my cybersecurity news feed blog. It generally comes out on Mondays. I posted articles in two of the posts under the “Laws & Legal” section about a new law in China related to software vulnerabilities.

This new law poses some concerns because it limits information sharing, except when it comes to giving the information to the Chinese government within two days of discovery.

Here are some key points that I’ve been pondering from an article by The Record that took a look at the new law.

Article 4: Makes it illegal for individuals or organizations to “collect, sell, or publish information on network product security vulnerabilities.”

That means any security researcher that finds and wants to publish information about security vulnerabilities to let other people know cannot do so. What if the vendor refuses to or fails to fix the vulnerability for some reason? The Chinese government may know about the vulnerability but none of the customers that use that product.

Article 7, (2): Vendors must share all vulnerability reports with the Ministry of Industry and Information Technology (MIIT) within two days.

Please note that some network product security vendors have quality assurance (QA) teams that test products in China before shipping them to customers. They employ people on these teams to find flaws in the security appliance. Some of those flaws will be security vulnerabilities if the company is performing comprehensive testing of products.

Do the people working in this capacity have to tell the Chinese government about the security vulnerability within two days in order to comply with this law, prior to the vendor’s ability to fix it? In that case, will the Chinese government will be aware of a vulnerability before customers of the vendor can get a patch to fix the problem? If your network security vendor tests products in China, ask that question to your lawyer and your vendor (in that order).

Article 9, (7): Prohibits disclosing vulnerability details to “overseas organizations or individuals other than network product providers.”

Chinese hackers are known to use zero-day exploits in hacking competitions to win hundreds of thousands of dollars. Will they no longer be able to participate in these competitions? Many new vulnerabilities come to light in these competitions. In addition, while following the chatter about one of these competitions on Twitter, it became clear that the security researchers do not give up all their zero-day exploits. They only give up the ones that are necessary to win the top prize. If they can’t win, they save it for later. What happens to those exploits now?

Some of the zero-day exploits in this competition involved network security products:

One of the biggest take-aways to me is that you should know where your network security products get tested. I once recommended to a network security product vendor that they should stop testing products in China. I don’t know if that company still does that, but at the time they disregarded my recommendation. It was risky then and it is even more complicated now. I wrote about this in my cybersecurity book in the chapter asking how well you know your vendors.

On the other hand, this shows how valuable security research is in raising awareness about security product flaws and the damage that can result from disallowing information sharing. The information should be shared in a responsible manner. Stopping people from sharing the information will only send it underground and hurt the people you are trying to protect. It needs to be accessible for security researchers and product vendors in order to understand how exploits work, get product vulnerabilities fixed, and prevent them.

I wonder how this law affects security researchers abroad. If you publish information about a vulnerability in a product in the United States could you be breaking Chinese laws or does that only apply if you are building the products in China, working in China, or a Chinese citizen?

Please note that Chinese laws are applicable to Chinese citizens wherever they are living and working around the world in most cases. Again, talk to your lawyer for more details for any risks that may be applicable to you.

If you want to know what happens when vendors don’t have to disclose vulnerabilities, check out the book I reviewed: Cult of the Dead Cow.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2021

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab