Chinas Claim on Vulnerability Details Could Chill Researchers

  /     /     /  
Publicated : 23/11/2024   Category : security


Chinas Claim on Vulnerability Details Could Chill Researchers


The Network Security Law of the Peoples Republic of China enforces coordinated disclosure, but also requires that researchers notify the government of vulnerabilities.



A new law issued by the Chinese government makes it illegal to share vulnerability information with any organization except for the government and the maker of the affected product, a restriction that will likely chill research efforts, even among Chinese citizens living overseas, according to security and legal experts.
The Network Security Law of the Peoples Republic of China, issued on July 13, aims — on its face — to improve the security of Chinese networks and hold network product makers responsible for vulnerabilities in their hardware and software. However, the law also limits how research can be conducted and punishes researchers who share vulnerability information too widely or exaggerate the hazards and risks of network product security vulnerabilities, according to a translated copy of the law.
Article 9 of the law also restricts researchers from publishing proof-of-concept code, requires that any information about vulnerabilities be disclosed after a patch, and requires details of vulnerabilities be disclosed only to the Chinese government and, optionally, to the maker of the product.
This particular clause is controversial, to say the least, says Chenxi Wang, a general partner with Rain Capital and former associate professor at Carnegie Mellon University. It will limit Chinese security researchers abilities to collaborate with their international peers. ... It may potentially stifle security research in China and isolate Chinese security professionals from the International community.
While the law only pertains to people within China, the Chinese governments approach to enforcement, if strict, could result in chilling security research outside of the country as well, especially among expat Chinese citizens or security companies that are looking to do business in one of the worlds largest markets.
There is already examples of companies censoring themselves to please Chinas government. Hollywood studios and game companies have abandoned topics and plotlines that could be seen as criticism of China or its policies.
Chinese citizens living outside of China and companies aiming to do business in China should worry, says Justin Antonipillai, founder and CEO of data-protection firm WireWheel and the former acting under secretary for economic affairs at the US Department of Commerce during the Obama administration.
On its face, it is likely to govern people who are operating in China, but if you are a Chinese national and you live outside of China, you obviously dont know how it could be enforced later, he says. Reporting every vulnerability to the government itself is pretty significant. All of the phrases in the law are pretty broad, and who knows what the government will use the information for.
The concerns come as a multilateral group of nations — including the United States, the United Kingdom, the European Union, and NATO —
accused China of collaborating with cybercriminal groups to conduct economic espionage
against other governments and industries. The US Department of Justice unsealed indictments against four Chinese nationals, who the agency claims are working with Chinas Ministry of State Security to steal intellectual property and business secrets.
While how China intends to implement the law is not clear, and neither is whether the government will reserve the information for use by its military for cyber operations, the lack of clarity should cause concern, says Chris Levendis, program leader for MITREs Common Vulnerabilities and Exposures (CVE) program. I dont think this is a positive development for transparency or software security, he says. As a general rule with vulnerability disclosure, the more transparent the better. ... This opens up the possibility of hiding vulnerabilities.
In 2018, threat intelligence firm Recorded Future released a report accusing China of
systematically delaying the disclosure of the most critical vulnerabilities
so its Ministry of State Security could assess the flaws for use in surveillance and intelligence operations.
The law also muddies the relationship between independent bug bounty hunters, penetration testers, and their clients. A Chinese vulnerability researcher taking part in a bug bounty may be forced to choose between violating a nondisclosure agreement to notify the Chinese government of vulnerabilities or running afoul of the Network Security Law by failing to notify the Chinese government.
It is super problematic and super messy when you are talking about people who are finding defects for hire for a particular manufacturer, says Chris Wysopal, chief technology officer and founder at application security firm Veracode. We have NDAs with our customers, and we exchange all sorts of information that we dont want public.
The law could also have a significant impact on MITREs CVE program as well. Currently, about 40% of vulnerability submissions are from Chinese researchers, but the law makes it illegal to share vulnerability information with international organizations.
Im certain the numbers will take a hit, but I do not know how much, says MITREs Levendis. We dont know what the unintended consequences will be, nor Chinas motivations ... so you can derive themes and theories, but until it plays out, we will have to see how it develops.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chinas Claim on Vulnerability Details Could Chill Researchers