New regulation may present ‘new challenges to security researchers and pen testers working in China’

Security pros weigh in on China's new vulnerability disclosure law

Security researchers operating in the People’s Republic of China will soon be required to hand over information on vulnerabilities, including zero-days, to the authorities.

Regulations from the Cyberspace Administration of China will require anyone finding security vulnerabilities to inform the government from September.

This, according to a recent report by Recorded Future imprint The Record, must be done within two days, with all bugs being reported to the Ministry of Industry and Information Technology (MIIT).

RELATED China puts national security protection at the center of new data privacy law

Bug hunters will be banned from giving information about their findings to any “overseas organizations or individuals”, with the exception of the affected product’s manufacturer or software developer.

In addition, no one can “collect, sell or publish information on network product security vulnerabilities”, according to a report in the Associated Press.

Line in the sand

The new rules – Regulations on the Management of Network Product Security Vulnerability – come into force on September 1.

China experts say the rules are primarily aimed at overseas crime groups or, potentially, foreign intelligence agencies.

The law states that it is not permitted to use vulnerability information for “malicious speculation or fraud, extortion and other illegal and criminal activities”.

It will also be against the rules to release tools that exploit vulnerabilities. If a weakness is published, a repair or patch has to be released at the same time.

ANALYSIS Behind the Great Firewall: Chinese cyber-espionage adapts to post-Covid world with stealthier attacks

The measures largely bring China’s cybersecurity regulations in line with those in the west.

However, some observers worry that the rules could limit legitimate security research, penetration testing, and participation in bug bounty programmes.

They argue it could also allow Chinese cyber agencies to “stockpile” vulnerabilities for future use.

China's new security vulnerability disclosure rules come into effect on September 1China’s new security vulnerability disclosure rules come into effect on September 1

At the same time, though, the regulations recommend that vendors set up “reward mechanisms” for reporting vulnerabilities. But network operators and product vendors also need to register their vulnerability reporting platforms with the MIIT.

“This rule has the potential to present new challenges to security researchers and penetration testers working in China. Specifically, as the reporting mechanism is formalized, it will be interesting to see how China implements the law itself,” Frank Downs, director of proactive services, BlueVoyant, and member of ISACA’s Emerging Trends Working Group, told The Daily Swig.

Read more of the latest cybersecurity news from Asia

“For example, if a penetration tester is under contract to conduct a test for a company, is it the tester's responsibility to report findings or the company’s? Additionally, if reporting is mishandled, what are the consequences?”

Downs added: “No matter how this law is implemented, China-based security researchers are probably going to tread much more carefully out of concern of being labelled a ‘hacker’. This law makes the prospect of security and penetration testing more fraught.”

“I don’t believe this will impact hacker contests or bug bounty programs significantly, however it might impact companies who are doing development within China,” warned Joseph Carson, chief security scientist at ThycoticCentrify.

“Under the new rules, the government will know about security vulnerabilities first,” he said.

The original Mandarin text of the regulation is on the Cyberspace Administration of China’s website.

YOU MIGHT ALSO LIKE Multiple encryption flaws uncovered in Telegram messaging protocol