China's infosec researchers obeyed Beijing and stopped reporting vulns ... or did they?

2022-09-27 06:58

The Council explored the state of Chinese infosec research in the context of the 2021 introduction of "Regulations on the Management of Security Vulnerabilities of Network Products" that require local researchers to report any vulns they find to local authorities.

A ban on Chinese researchers participating in international infosec competitions is thought to have been imposed for similar reasons.

In a paper on the matter titled "Dragon tails: Preserving international cybersecurity research", the Council notes that China's infosec researchers are prolific and capable, with Alibaba's detection of the Log4J bug being a prime example of their sterling work.

Researchers looked at bug reports from organizations including Microsoft, Apple, VMware, F5,and Red Hat, as those entities name-check the sources of vulnerabilities they report.

The Council's researchers hypothesize that could indicate Chinese researchers instead revealed bugs anonymously.

The report ends with the optimistic observation that infosec researchers generally behave ethically, as shown by Alibaba's discovery and reporting of Log4J "In spite of the RMSV and other legal contexts and with no apparent profit motive."

News URL

https://go.theregister.com/feed/www.theregister.com/2022/09/27/atlantic_council_china_vuln_research/

#beijing #china #infosec #researcher