China Taking Control of Zero-Day Exploits
China is making sure that all newly discovered zero-day exploits are disclosed to the government.
Under the new rules, anyone in China who finds a vulnerability must tell the government, which will decide what repairs to make. No information can be given to “overseas organizations or individuals” other than the product’s manufacturer.
No one may “collect, sell or publish information on network product security vulnerabilities,” say the rules issued by the Cyberspace Administration of China and the police and industry ministries.
This just blocks the cyber-arms trade. It doesn’t prevent researchers from telling the products’ companies, even if they are outside of China.
Winter • July 14, 2021 6:50 AM
On the face of it, this law looks “good”.
However, I am worried that anyone who finds a Zero-Day exploit and discloses it to government&manufacturer has no other options left if neither wants to do anything about the exploit. As I read it here, disclosure to the press if no action is taken would be breaking this law.
I have understood that there have been cases in the past where manufacturers have not responded adequately to the reporting of exploits, as have governments.