The Lawfare Podcast

China’s Approach to Software Vulnerabilities Reporting

Oct 19, 2023

Guest_1, an author of a report on how China manages software vulnerabilities, discusses China's regulations on reporting software vulnerabilities, the implications for stockpiling vulnerabilities for offensive operations, and the comparison to the US voluntary system.

45:11

Creator website

Episode guests

guest_1

AI Summary

Highlights

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

China's regulations on software vulnerabilities reporting require researchers to inform the government of any flaws discovered within 48 hours, effectively supporting efforts to stockpile vulnerabilities for offensive cyber operations.

China's vulnerability collection system has evolved over the years, with regulations and decisions shaping its current state, raising concerns about limited access to China's vulnerability discoveries and potential intelligence exploitation.

Deep dives

China's Regulations on Software Vulnerabilities Reporting

China's regulations on software vulnerabilities reporting require researchers to inform the government of any flaws discovered within 48 hours, effectively supporting efforts to stockpile vulnerabilities for offensive cyber operations. The regulations apply to network product providers and organizations conducting security research on software. Under the new system, researchers are required to report vulnerabilities to the Ministry of Industry and Information Technology, which shares the information with the China Cert Database. There has been a significant decrease in the number of vulnerabilities made public since the regulations were implemented, leading to concerns about reduced information sharing and potential offensive use of the collected data. Violators can face fines and suspension from data-sharing platforms.

The Impact of Researchers Not Contributing to the Cybersecurity Ecosystem

02:04

Introduction

3min

The Role of Software Vulnerability Reporting Mechanisms

6min

China's Regulations on Reporting Software Vulnerabilities

11min

China's Approach to Software Vulnerabilities Reporting and Advertisements for Ad-Free Listening and NetSuite

4min

Software Vulnerabilities Reporting in China

25min

Outro and Acknowledgements

2min

In July 2021, the Chinese government published its “Regulations on the Management of Network Product Security Vulnerabilities.” These rules require researchers to inform the government of all flaws in code within 48 hours of their discovery, effectively supporting efforts to stockpile software vulnerabilities, which can then be used for offensive cyber operations.

Lawfare Fellow in Technology Policy and Law Eugenia Lostri sat down with two guests who recently authored a report on how China manages software vulnerabilities. Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub and a consultant at Krebs Stamos Group. Kristin del Rosso is a public sector field CTO at IT security company Sophos. They talked about how companies have adjusted to China’s rules, how their system compares to the U.S. voluntary approach, and the incentives to collect vulnerabilities for offensive operations.

Support this show http://supporter.acast.com/lawfare.

Hosted on Acast. See acast.com/privacy for more information.

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

The Lawfare Podcast

China’s Approach to Software Vulnerabilities Reporting

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

China's Regulations on Software Vulnerabilities Reporting

Evolution of China's Vulnerability Collection System

Corporate Compliance and Impact on the Vulnerability Ecosystem

Importance of Avoiding Replication of China's System

The Impact of Researchers Not Contributing to the Cybersecurity Ecosystem

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights

The Lawfare Podcast

China’s Approach to Software Vulnerabilities Reporting

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

China's Regulations on Software Vulnerabilities Reporting

Evolution of China's Vulnerability Collection System

Corporate Compliance and Impact on the Vulnerability Ecosystem

Importance of Avoiding Replication of China's System

The Impact of Researchers Not Contributing to the Cybersecurity Ecosystem

Get the Snipdpodcast app

AI-poweredpodcast player

Discoverhighlights

Save anymoment

Share& Export

AI-poweredpodcast player

Discoverhighlights

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights