Ministry of Industry and Information Technology and other three departments: shall not illegally collect, sell or publish network product security vulnerability information

On July 13, the Ministry of Industry and Information Technology, the Cyberspace Administration of China and the Ministry of Public Security jointly issued the Provisions on the Management of Security Vulnerability of Network Products, which will come into force on September 1, 2021.

“Provisions” clearly, any organization or individual shall not take advantage of network product security vulnerabilities to engage in activities endangering network security, shall not illegally collect, sell, release network product security vulnerabilities information; Those who knowingly take advantage of security vulnerabilities of network products to engage in activities endangering network security shall not provide such assistance as technical support, advertising promotion, payment and settlement, etc.

Attached to the “Network Product Security Vulnerability Management Regulations” :

Article 1 These Provisions are formulated in accordance with the Cyber Security Law of the People’s Republic of China for the purpose of regulating the behavior of finding, reporting, repairing and releasing security vulnerabilities of network products and preventing cyber security risks.

Article 2 Providers and network operators of network products (including hardware and software) within the territory of the People’s Republic of China, as well as organizations or individuals engaged in the activities of finding, collecting and releasing security vulnerabilities of network products, shall abide by these Provisions.

Article 3 The Cyberspace Administration of China shall be responsible for overall planning and coordination of the management of network product security vulnerabilities. The Ministry of Industry and Information Technology is responsible for the comprehensive management of security vulnerabilities of network products, and the supervision and management of security vulnerabilities of network products in the telecommunications and Internet industries. The Ministry of Public Security is responsible for the supervision and management of security vulnerabilities of network products, cracking down on illegal and criminal activities that exploit security vulnerabilities of network products in accordance with the law.

Competing departments have strengthened inter-departmental coordination and cooperation, realized real-time sharing of network product security vulnerability information, and carried out joint assessment and disposal of major network product security vulnerability risks.

Article 4 No organization or individual shall take advantage of the security vulnerabilities of network products to engage in activities endangering network security, and shall not illegally collect, sell or release information about security vulnerabilities of network products. Those who knowingly take advantage of security vulnerabilities of network products to engage in activities endangering network security shall not provide such assistance as technical support, advertising promotion, payment and settlement, etc.

Article 5 Network product providers, network operators and network product security vulnerability collection platforms shall establish and improve the network product security vulnerability information receiving channels and keep them unblocked, and keep the network product security vulnerability information receiving logs for no less than 6 months.

Article 6 Relevant organizations and individuals are encouraged to inform network product providers of security vulnerabilities in their products.

Article 7 Network product providers shall perform the following network product security vulnerabilities management obligations, ensure that the security vulnerabilities of their products are timely repaired and reasonably released, and guide and support product users to take preventive measures:

(1) Upon discovering or being informed of the existence of security vulnerabilities in the network products provided, it shall immediately take measures and organize verification of the security vulnerabilities to assess the extent of harm and the scope of impact of the security vulnerabilities; It shall immediately notify the relevant product providers of the security vulnerabilities of its upstream products or components.

(2) The relevant vulnerability information shall be reported to the cyber security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology within 2 days. The content of the report shall include the name, model, version of the product with the network product security vulnerability, as well as the technical characteristics, harm and influence scope of the vulnerability.

(3) It shall timely organize the repair of network product security vulnerabilities. If product users (including downstream manufacturers) need to take software and firmware upgrade measures, it shall timely inform potentially affected product users of the risk of network product security vulnerabilities and the repair method, and provide necessary technical support.

The cyber security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology (MIIT) has simultaneously notified the National Network and Information Security Information Notification Center and the National Computer Network Emergency Technical Handling Coordination Center of relevant vulnerability information.

Encourage network product providers to establish a reward mechanism for security vulnerabilities of the network products they provide, and reward organizations or individuals who discover and report security vulnerabilities of the network products they provide.

Article 8 After a network operator discovers or learns of the existence of security vulnerabilities in its network, information system and equipment, it shall immediately take measures to verify and repair the security vulnerabilities in a timely manner.

Article 9 Organizations or individuals engaged in the discovery and collection of network product security vulnerabilities to release network product security vulnerability information to the society through network platforms, media, conferences, competitions, etc., shall abide by the principles of necessary, true, objective and conducive to preventing network security risks, and abide by the following provisions:

(1) It shall not release vulnerability information before the network product provider provides the network product security vulnerability remedy measures; If it is deemed necessary to release the product in advance, it shall evaluate and negotiate with relevant network product providers, and report to the Ministry of Industry and Information Technology and the Ministry of Public Security, which shall organize the evaluation and then release the product.

(2) It is not allowed to publish details of the existence of security loopholes in the networks, information systems and equipment used by network operators.

(3) shall not deliberately exaggerate the harm and risk of network product security vulnerabilities, shall not use network product security vulnerabilities information to carry out malicious speculation or fraud, extortion and other illegal and criminal activities.

(4) It shall not release or provide programs and tools specially used to take advantage of the security vulnerabilities of network products to engage in activities endangering network security.

(5) When releasing security vulnerabilities of network products, it shall simultaneously release repair or preventive measures.

(6) During major activities held by the state, it is forbidden to release information about security vulnerabilities of network products without the consent of the Ministry of Public Security.

(7) It is forbidden to provide undisclosed information about security vulnerabilities of network products to overseas organizations or individuals other than network product providers.

(8) Other relevant provisions of laws and regulations.

Article 10 The network product security vulnerability collection platform established by any organization or individual shall be filed with the Ministry of Industry and Information Technology for the record. The Ministry of Industry and Information Technology shall timely notify the Ministry of Public Security and the Cyberspace Administration of China of relevant vulnerability collection platforms, and make public those platforms that have passed the archival filing.

Encourage the production of found network security holes the organizations or individuals to the Ministry of Industry and Information Technology of network security threats and vulnerabilities information sharing platform, network and information security platform of information reporting center hole, national computer network emergency coordination center holes platform, China’s information security evaluation center hole products submitted to the network security vulnerability information library.

Article 11 Organizations engaged in network product security vulnerability discovery and collection should strengthen internal management and take measures to prevent disclosure of network product security vulnerability information and illegal release.

Article 12 If network product providers fail to take measures to remedy or report network product security vulnerabilities according to these Provisions, the Ministry of Industry and Information Technology and the Ministry of Public Security shall deal with the cases according to their respective responsibilities. Those who constitute the circumstances prescribed in Article 60 of the Cybersecurity Law of the People’s Republic of China shall be punished in accordance with such provisions.

Article 13 If a network operator fails to take network product security loophole repair or preventive measures in accordance with these provisions, it shall be dealt with by the relevant competent authorities according to law; Those who constitute the circumstances prescribed in Article 59 of the Cybersecurity Law of the People’s Republic of China shall be punished in accordance with such provisions.

Article 14 Those who collect and release network product security vulnerability information in violation of these Provisions shall be dealt with by the Ministry of Industry and Information Technology and the Ministry of Public Security according to their respective responsibilities; If the circumstances constitute the provisions of Article 62 of the Cybersecurity Law of the People’s Republic of China, the offender shall be punished in accordance with the provisions.

Article 15 Those who take advantage of the security vulnerabilities of network products to engage in activities endangering network security, or provide technical support for others to take advantage of the security vulnerabilities of network products to engage in activities endangering network security, shall be dealt with by public security organs according to law; If the case constitutes any of the circumstances prescribed in Article 63 of the Cybersecurity Law of the People’s Republic of China, it shall be punished in accordance with such provisions; If the case constitutes a crime, the offender shall be investigated for criminal responsibility according to law.

Article 16 These Provisions shall come into force as of September 1, 2021.

©Spark Global Limited Financial information & The content of the website comes from the Internet, and any infringement links will be deleted.