China imposes restrictions on zero-day vulnerability researchers

Parthiv Menon

July 14, 2021

The Chinese government has mandated that any Chinese citizen who finds a zero-day vulnerability must pass the details to only the Chinese government and not to any third-party outside China. A zero-day vulnerability is a computer-software vulnerability unknown to those who work towards resolving those very bugs. Hence, until the vulnerability is fixed, hackers can exploit it to affect programs, data, and even computer networks. The report published points to the results of private research on vulnerabilities being controlled by the government. China already has a tight grip over companies operating within China. Data on Chinese customers must not be stored outside of China and companies selling routers and other network devices in China must disclose to regulators how any encryption features work. The new rule makes the support of Chinese nationals to China's supreme control over the cyberspace in China stronger. The new rule makes that support explicit – and is more likely associated with China’s intelligence-led cyber efforts than with a desire to tighten control over internal information. If this is true, it is worth exploring what effect the rule might have on the rest of the world. One major effect this rule could have is that Chinese Advanced Persistent Threat (APT) groups could have a larger stockpile of zero-days than they already have, hence making them unavailable for purchase by NSA or Russian state actors. Apart from affecting companies and flaws in their products in China, the new rule may also have an impact on bug bounty programs and ahcking competitions featuring Chinese participants. Many top security experts feel this rule is likely to rebound on China as researchers will let go of China once they get more profits for their efforts from somewhere else.

Abridged fromSecurity Week