China Implements Stringent Cybersecurity Regulations: Makers Urged to Swiftly Report…

China has implemented new regulations requiring makers of network software and hardware to promptly inform Beijing of any security vulnerabilities within two days of discovery. The details of these vulnerabilities cannot be made public until they are fixed, and there are restrictions on disclosing such information to foreign entities.

The rules, aimed at enhancing cybersecurity defenses, include provisions for vendors to address vulnerabilities promptly, establish bounty programs for researchers, and report relevant information to Chinese authorities. Despite concerns about the ambiguous nature of some rules, the regulations may impact Chinese researchers and complicate engagements with foreign bug bounty programs, leading to legal uncertainties.

As well as the creation of a centralized Chinese vulnerability database raises espionage concerns, and the two-day reporting timeframe may hinder thorough investigations and timely fixes. The potential use of vulnerability reports by the Chinese government adds to existing concerns about the security of Chinese-made communication systems in global deployments.