Skip to main content
Topic: Chinese government lays out new vulnerability disclosure rules (Read 2205 times) previous topic - next topic

Chinese government lays out new vulnerability disclosure rules

Chinese government lays out new vulnerability disclosure rules

The most important talking points are the fact that:
-researchers/vendors must share vulnerability reports with state agencies within two days of a report
-researchers are not allowed to release bug details before vendors had a reasonable chance to patch, except on rare occasions
-the new law also bans zero-day sales and vulnerability hoarding
-researchers are also banned from sharing data with overseas organizations (bug bounty platforms, hacking contests, CERT teams), except with product vendors & service providers directly

https://therecord.media/chinese-government-lays-out-new-vulnerability-disclosure-rules/

https://archive.st/archive/2021/7/therecord.media/ekst/therecord.media/chinese-government-lays-out-new-vulnerability-disclosure-rules/index.html

https://archive.is/BOX93