Security News > 2021 > July > New Law Will Help Chinese Government Stockpile Zero-Days
Starting September 1, 2021, the Chinese government will require that any Chinese citizen who finds a zero-day vulnerability must pass the details to the Chinese government and must not sell or give the knowledge to any third-party outside of China.
The most obvious assumption is that Chinese found zero-days will be funneled into the Chinese APT groups, and will not be made available for purchase by the NSA or Russian state actors.
"This new rule will tighten any prior flexibility security researchers had and will force them into sharing security research with the Chinese government and limit further disclosures."
"The government will almost certainly funnel these vulnerabilities to Chinese government threat actors. This probably won't cause a rise in the volume of attacks, but may well increase the sophistication. As a side note," he added, "The defensive advantages of Chinese government organizations being able to mitigate vulnerabilities discovered may well outweigh any offensive gains."
The fact remains that Chinese APTs are likely to acquire a greater stockpile of zero-days than they already have.
Carson notes an adverse effect on western organizations doing development in China, since the Chinese government will know about security vulnerabilities in their own products potentially before they do.