Security News > 2021 > July > So nice of China to put all of its network zero-day vulns in one giant database no one will think to break into

Chinese makers of network software and hardware must alert Beijing within two days of learning of a security vulnerability in their products under rules coming into force in China this year.

Though the rules are a little ambiguous in places, judging from the spirit of them, they throw a spanner in the works for Chinese researchers who work with, or hope to work with, zero-day vulnerability brokers.

"Chinese teams stopped participating in Pwn2Own after 2017 when there were regulatory changes that no longer allowed for participation in global exploit contests," Brian Gorenc, head of ZDI and Pwn2Own at Trend Micro, told The Register on Wednesday.

"There are Chinese bug bounty programs but whether or not Western based companies would comply is a question that needs answering. We'll need to see a case emerge where the Chinese authorities attempt to exert the directive to see."

Another part of the order that worries Moussouris is the central Chinese vulnerability database that will be created to house all of these reported bugs: it's an obvious target for espionage.

Who could forget Uncle Sam's Office of Personnel Management, which was ransacked in 2015 by Chinese cyber-spies who made off with sensitive records on more than 20 million US govt staff.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/07/15/china_vulnerability_law/