Bejing wants to know about all the bugs, and it’s troubling

Updated on: 14 September 2022

Jurgita Lapienytė
Chief Editor

Silhouette of a man in headphones, secret agent eavesdropping, spy and scout, China flag — Image by Shutterstock

Every vulnerability discovered by Chinese researchers has to be immediately reported to the government. No wonder it’s causing a chilling effect among the local hacker community.

A comprehensive research paper by the Atlantic Council deep dives into China’s law requiring to report the vulnerabilities to the government right after notifying vendors. Given that government agencies harvest flaws for offensive use, this practice raises concerns about its impact on international cybersecurity research.

According to the paper, Chinese corporate research teams and individual researchers have dominated marquee hacking competitions and corporate bounty programs for at least a decade. In 2018, China banned its researchers from participating in such events abroad. Soon after, the Regulations on the Management of Network Product Security Vulnerabilities (RMSV) followed, requiring Chinese network product providers to “notify the country’s Ministry of Industry and Information Technology (MIIT) about vulnerabilities found in “network products” within a few days of reporting them to the appropriate vendor.”

The Chinese government is serious about RMSV, and a story about a bug in a logging library, Log4j, is a stellar example. Publicly disclosed at the end of 2021, Log4j caused havoc, with researchers calling it a Fukushima moment for cybersecurity.

“In late November 2021, a researcher at Chinese technology giant Alibaba a severe vulnerability in Log4j and disclosed it privately to the Apache Software Foundation (ASF) team maintaining the library. A month later, Alibaba found itself on the receiving end of government sanctions. China’s Ministry of Industry and Information Technology suspended subsidiary Alibaba Cloud from a cyber threat and information-sharing partnership for six months, apparently for failing to report the Log4j vulnerability, also known as Log4Shell, directly and promptly to the MIIT,” the report reads.

While little is known about the precise punishment mechanism, the Atlantic Council said that the titanic cybersecurity entity was punished for “following what were by all accounts best practices, or at least something close to them.”

“The law has the potential to either funnel vulnerability information to the MIIT well ahead of industry-standard timelines or to create “a chilling effect on future coordinated disclosure” in one of the world’s largest information technology (IT) hubs,” the report said.

Researchers hunt for vulnerabilities in products, open-source libraries, and embedded software for various reasons: prestige, profit, ethical principles, and entertainment, among others. The independent researcher community, the Atlantic Council argues, is essential to managing the level of risk posed by software to users.

Data from technology giants ( Apple, Microsoft, VMWare, RedHat, and F5) discussed in the paper suggests that the RMSV has not yet significantly impacted the supply of vulnerability disclosures. Microsoft is a possible exception here – in 2020, vulnerabilities reported by Chinese researchers plummeted from 59 to 11, where they hover each month since.

“However, that is not to suggest that the research community in China is immune to its legal context. First, the potential for a delayed effect outside of this study’s timeframe remains, especially when acknowledging the considerable vagueness in CVE reporting and dating practices,” the Atlantic Council said.