Chinese government tightens vulnerability disclosure rules

Chinese government tightens vulnerability disclosure rules

No information about vulnerabilities can be transferred to foreign parties other than the manufacturer of the product.

According to new regulations that further strengthen the Chinese Communist Party’s control over information, cybersecurity experts will have to report any vulnerabilities found in software to the government without the right to sell that information.

The rules prohibit cyber security experts from the private sector who identify zero-day vulnerabilities from selling information to the police, spy agencies or companies. Any specialist in China must report the problem to the government, and the authorities will already decide how to fix it. No information can be transferred to “foreign organizations or individuals” other than the manufacturer of the product.

The stringent restrictions are designed to prevent researchers from disclosing vulnerability information before the vendor has a chance to release a fix for the problem.

The new rules, which have been working on since 2017, will enter into force on September 1 this year.

China has steadily tightened control over information and computer security over the past two decades. Banks and other entities in possession of confidential information should only use Chinese-made security products. Overseas vendors selling routers and certain other networking products in China are required to inform regulators how any encryption functions work.

Catch up on more stories here

Follow us on Facebook here

Leave a Reply