China Introduced New Rules for Software Vulnerability Disclosure

Written by Bill Toulas
Last updated September 23, 2021

The Chinese Ministry of Industry and Information Technology has presented a set of new regulations that will underpin software and network product security vulnerability disclosure procedures. The new rules will come into force on September 1, 2021, and cover all provinces, autonomous regions, and municipalities of China, so every piece of software developed in the Asian superpower will be expected to comply.

In summary, the new regulations dictate the following:

The rest of the articles describe what happens in the cases of failure to comply with the above, and it’s clear that the state will not shy from punishing deviations from the context of the “Cybersecurity Law of the People’s Republic of China,” which now encompasses the vulnerability disclosure rules.

The new rules create a host of complications even for software companies outside of China, as many of them work with Chinese researchers who are covered by the new law. If these researchers were to disclose their findings to the Chinese Ministry, the state and potentially the actors it sponsors would get to learn about valuable backdoors in foreign products. This can’t work out in any way within the new legal context, so essentially, all Chinese bug bounty hunters are about to be excluded from international programs.

Offensive security expert and influential hacker John Jackson has shared the following comment with us on the above rules:

It looks like China is attempting to control the flow of exploits that are discovered by hackers. Requiring mandatory reporting of exploits undoubtedly means that the state will weaponize these exploits against adversaries as we've seen previously. In addition, not allowing research outside of the country is going to hamper hacker's abilities to learn techniques.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: