Is China Looking to Stockpile Zero-Days? New Vulnerability Disclosure Rules Could Create Closed Pipeline From Security Researchers to CCP

New vulnerability disclosure rules announced by the Chinese government have raised the prospect of “zero-day hoarding,” as anything discovered in the country must now be reported to the CCP and to no one else (in most cases). This includes a rule forbidding disclosures to the general public before a vendor has had a “reasonable chance” to patch the issue.

The new rules will, at the very least, threaten to disrupt working relationships between Chinese security researchers and “bug bounty” programs based in the West. The more worrisome possibility is that the Chinese government will collect and sit on zero-days, holding them in reserve for use by its state-backed hacking groups rather than disclosing them to software vendors and to the public so that appropriate safety measures can be taken.

Is the Chinese government planning to hoard zero-days?

All of this traces back to new vulnerability disclosure rules proposed by the Cyberspace Administration of China (CAC), which are slated to go into effect on September 1. The new rules make it illegal for anyone but the government to “publish or sell” vulnerabilities, requires everyone in the country to report discovered vulnerabilities within two days, prohibits disclosures before a vendor has had a “reasonable chance” to patch the issue (with case-by-case exemptions potentially granted by the Ministry of Industry and Information Technology), and prohibits any type of vulnerability disclosure to “overseas organizations” among other new requirements.

When researchers make a discovery, the new vulnerability disclosure process is rigid and requires them to go to the government first. Researchers themselves could face criminal penalties from the Ministry of Public Safety should they step outside the bounds of the formal reporting process. Any new zero-day discovered must be reported to the MIIT within two days, and in most cases it will then be up to the agency as to how and when the vendor is notified of the exploit. Naturally, the worry is that the government will simply keep many of these vulnerabilities quiet and keep them on hand for use by their own state-affiliated hackers. If the…


Vulnerability Disclosure Program — learn more about it — The Hacker News

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

China's New Law Requires Researchers to Report All Zero-Day Bugs to Government

China’s New Law Requires Researchers to Report All Zero-Day Bugs to Government

July 17, 2021Ravie Lakshmanan

The Cyberspace Administration of China (CAC) has issued new stricter vulnerability disclosures regulations that mandate security researchers uncovering critical flaws in computer systems to mandatorily disclose them first-hand to the government authorities within two days of filing a report. The ” Regulations on the Management of Network Product Security Vulnerability ” are expected to go into effect starting September 1, 2021, and aim to standardize the discovery, reporting, repair, and release of security vulnerabilities and prevent security risks. “No organization or individual may take advantage of network product security vulnerabilities to engage in activities that endanger network security, and shall not illegally collect, sell or publish information on network product security vulnerabilities,” Article 4 of the regulation states. In addition to banning sales of previously unknown security weaknesses, the new rules also forbid vulnerabilities from being


Kaseya Ransomware Attack, PrintNightmare Zero-day, Kaspersky Password Manager Vulnerability

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

Details on the Kaseya supply-chain and REvil ransomware attack, a new zero-day exploit called “PrintNightmare” affects all Windows versions before June, and how randomly generated passwords in a popular password manager were not so random.

** Links mentioned on the show **

REvil Used 0-Day in Kaseya Ransomware Attack, Demands $70 Million Ransom

Public Windows PrintNightmare 0-day exploit allows domain takeover

Kaspersky Password Manager caught out making easily bruteforced passwords

** Watch this episode on YouTube **

** Thank you to our sponsors! **


Privacy is a tool that masks your bank account information by generating virtual card numbers. So if your virtual card number gets compromised, your real card number wont! New Privacy customers will get $5 to spend on your first purchase! Visit to sign up and take back control of your online payments.

Silent Pocket

Visit to check out Silent Pocket’s amazing line of Faraday bags and other products built to protect your privacy. As a listener of this podcast you receive 10% off your order at checkout using discount code “sharedsecurity”.

Click Armor

To find out how “gamification” of security awareness training can reduce cyber risks related to phishing and social engineering, and to get a free trial of Click Armor’s gamified awareness training platform, visit:

** Help support the show **

Looking for an affordable, reliable, no logs VPN provider? Support the podcast by purchasing a Private Internet Access VPN subscription via…


Better Vulnerability Management is Essential for Data Security

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

Imagine if a gang of burglars arrived on your street and started going from house to house each night testing windows and doors to see if any of them could be forced open. While many houses would be perfectly secure, it’s likely that there would be one or two — especially on a long street — that could be burglarized in this way.

This analogy can be applied when we think about software vulnerabilities. A software vulnerability refers to any software flaw that manifests itself in a way that can be negatively exploited by bad actors. While a software bug refers to a part of a piece of software that doesn’t behave exactly as intended, these are mostly just minor annoyances to users. A vulnerability, on the other hand, poses a serious threat to data privacy and system integrity as a whole.

The difference between the burglar analogy and real cybersecurity vulnerabilities has to do with scale. Many cities have a crime problem, but fortunately not every street has a gang of criminals constantly going house to house trying to break in. Such incidents are statistically rare. Software vulnerabilities are another story. Cybercriminals are always looking to exploit new vulnerabilities, and with upward of 23,000 vulnerabilities discovered each year, they have plenty of opportunities to capitalize.

The vulnerability problem

In most cases, software vulnerabilities can be plugged using patches. Patches refer to software updates, usually distributed via downloads, that rewrite problematic parts of a piece of software so as to fix the flaw. Like cyberattackers — only this time fighting on the side of good — reputable developers are constantly on the lookout for vulnerabilities in their own software.

When these vulnerabilities are discovered, a good developer will create a patch and push it out to users. By keeping on top of security focused updates, users can therefore keep themselves protected.

Problem solved, then? Sadly, it’s not quite as simple as that. Keeping on top of patch management can be a major headache. No user will use every piece of software in existence, of course, but most will rely on several dozen software packages. Downloading and installing software…