Brief details are provided in a report by the Associated Press (AP) published Tuesday, July 13, 2021. No source is provided beyond the statement, “No one may ‘collect, sell or publish information on network product security vulnerabilities,’ say the rules issued by the Cyberspace Administration of China and the police and industry ministries….”
AP describes this action as “further tightening the Communist Party’s control over information”. This is unlikely to be the primary motivation for the new rule since the government already has a vice-like grip on data. Companies may not store data on Chinese customers outside of China. Foreign companies selling routers and some other network devices in China must disclose to regulators how any encryption features work.
“I would expect the Chinese Government to weaponize any discovered security vulnerabilities to enhance China’s cybersecurity capabilities,” Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, tells SecurityWeek. And Jake Williams, co-founder and CTO at BreachQuest adds that “the defensive advantages of Chinese government organizations being able to mitigate vulnerabilities discovered may well outweigh any offensive gains….”
But he also believes this could rebound against China. “One of the biggest likely issues is brain drain. If Chinese researchers can profit handsomely from their work anywhere else, but can’t do so in China, why would they stay? This probably helps China in the short term but harms them in the long term.”
The new law does encourage network operators and product vendors to set up a reward mechanism for reported vulnerabilities, according to the Record. But Katie Moussouris, founder and CEO of Luta Security, also raises the issue of western-based bug bounty platforms that have been working with Chinese security researchers for the past years. “If Western-based bug bounty platforms comply with this requirement in order to continue to legally receive bug reports from Chinese researchers, we must assume they will be required to hand over vulnerability data to the Ministry within two days of receiving the reports,” Moussouris said. “That requirement will effectively introduce a backdoor straight to the Chinese government in any VDP [vulnerability disclosure program] or bug bounty program where Chinese researchers submit bugs via platforms, even to non-Chinese companies.”
Read more of this story at Slashdot.