Chinese security researchers can’t participate in bug bounty programs or publish and sell vulnerabilities details

From next September, the Chinese authorities will require that any citizen who finds a zero-day vulnerability report it to the government, so they will not be able to send it to reward programs or notify it to third parties outside of China in addition to the manufacturers of the vulnerable products.

These new rules, issued by China’s Cyberspace Administration, state that “no one may collect, sell, or publish information about network product vulnerabilities.” It should be clarified that this report does not clarify whether any private investigative activity is prohibited or whether it will only try to monitor the results of these analyses.

The report published by the Associated Press (AP) notes that this is a new attempt by the Communist Party to try to control as much information as possible, including the management of security vulnerabilities. China already maintains some strict controls on information technology on its territory, especially with regard to technology companies operating on Chinese territory.

This new rule reinforces policies such as Article 7 of the Chinese Intelligence Law, which requires Chinese citizens to cooperate with national intelligence efforts. This time, the authorities’ intention seems to be to strengthen control over internal information related to cybersecurity risks.

Groups opposed to the Chinese government believe that with this policy the Communist Party will intercept any zero-day vulnerabilities that its associated hacking groups may exploit, thus disrupting the intelligence activity of U.S., Russian and other agencies. In this regard, cybersecurity expert Joseph Carson mentions that: “it is possible for the Chinese government to use as a weapon any security vulnerability discovered in its territory to improve the cybersecurity capabilities of its specialists.”

On the other hand, researcher Jake Williams believes this will directly impact the fight against security vulnerabilities: “It is almost certain that the government will channel these vulnerabilities to threat actors. This probably won’t cause an increase in the volume of attacks, but it can increase the sophistication of these hackers.”

Whatever the intention of the Chinese government, the fact is that threat actors are likely to have greater access to information related to any zero-day vulnerabilities.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.