Is China Looking to Stockpile Zero-Days? New Vulnerability Disclosure Rules Could Create Closed Pipeline From Security Researchers to CCP

New vulnerability disclosure rules announced by the Chinese government have raised the prospect of “zero-day hoarding,” as anything discovered in the country must now be reported to the CCP and to no one else (in most cases). This includes a rule forbidding disclosures to the general public before a vendor has had a “reasonable chance” to patch the issue.

The new rules will, at the very least, threaten to disrupt working relationships between Chinese security researchers and “bug bounty” programs based in the West. The more worrisome possibility is that the Chinese government will collect and sit on zero-days, holding them in reserve for use by its state-backed hacking groups rather than disclosing them to software vendors and to the public so that appropriate safety measures can be taken.

Is the Chinese government planning to hoard zero-days?

All of this traces back to new vulnerability disclosure rules proposed by the Cyberspace Administration of China (CAC), which are slated to go into effect on September 1. The new rules make it illegal for anyone but the government to “publish or sell” vulnerabilities, requires everyone in the country to report discovered vulnerabilities within two days, prohibits disclosures before a vendor has had a “reasonable chance” to patch the issue (with case-by-case exemptions potentially granted by the Ministry of Industry and Information Technology), and prohibits any type of vulnerability disclosure to “overseas organizations” among other new requirements.

When researchers make a discovery, the new vulnerability disclosure process is rigid and requires them to go to the government first. Researchers themselves could face criminal penalties from the Ministry of Public Safety should they step outside the bounds of the formal reporting process. Any new zero-day discovered must be reported to the MIIT within two days, and in most cases it will then be up to the agency as to how and when the vendor is notified of the exploit. Naturally, the worry is that the government will simply keep many of these vulnerabilities quiet and keep them on hand for use by their own state-affiliated hackers. If the…