Critical regulatory new context from our biggest...

Critical regulatory new context from our biggest customer,

Ministry of Industry and Information Technology, Ministry of Cyberspace Affairs

Notice on Issuing the Regulations on the Management of Network Product Security Vulnerabilities

Ministry of Industry and Information Technology Network Security (2021) No. 66

All provinces, autonomous regions, municipalities directly under the Central Government, and the Xinjiang Production and Construction Corps industry and information management departments, public security bureaus (bureaus), cyberspace affairs offices, and communications administrations of all provinces, autonomous regions, and municipalities directly under the Central Government:

The "Regulations on the Management of Network Product Security Vulnerabilities" are hereby issued and will come into force on September 1, 2021.

Ministry of Industry and Information Technology

Cyberspace Administration

Ministry of Public Security

July 12, 2021

Regulations on the Management of Security Vulnerabilities in Network Products

Article 1 "　In order to regulate the discovery, reporting, repair and release of network product security vulnerabilities and prevent network security risks, these regulations are formulated in accordance with the "Network Security Law of the People's Republic of China".

Article 2　``Network product (including hardware and software) providers and network operators within the territory of the People's Republic of China, as well as organizations or individuals engaged in the discovery, collection, and release of network product security vulnerabilities, shall abide by these regulations.

Article 3: The　National Internet Information Office is responsible for the overall planning and coordination of the management of network product security vulnerabilities. The Ministry of Industry and Information Technology is responsible for the comprehensive management of network product security vulnerabilities, and is responsible for the supervision and management of network product security vulnerabilities in the telecommunications and Internet industries. The Ministry of Public Security is responsible for the supervision and management of network product security vulnerabilities, and crack down on illegal and criminal activities that use network product security vulnerabilities in accordance with the law.

Relevant competent departments strengthen cross-departmental coordination, realize real-time sharing of information on network product security vulnerabilities, and conduct joint assessment and disposal of major network product security vulnerabilities.

Article 4　No organization or individual may use network product security vulnerabilities to engage in activities that endanger network security, or illegally collect, sell, or publish information on network product security vulnerabilities; anyone who knows that others use network product security vulnerabilities to engage in activities that endanger network security shall not do so It provides technical support, advertising promotion, payment settlement and other help.

Article 5:　Network product providers, network operators, and network product security vulnerabilities collection platforms shall establish and improve network product security vulnerabilities information receiving channels and keep them open, and keep network product security vulnerabilities information receiving logs for no less than 6 months.

Article 6:　Encourage relevant organizations and individuals to notify network product providers of the security loopholes in their products.

Article 7　Network product providers shall perform the following network product security vulnerabilities management obligations, ensure that their product security vulnerabilities are repaired in a timely manner and reasonably released, and guide and support product users to take preventive measures:

(1) After discovering or learning about the security vulnerabilities in the provided network products, they should immediately take measures and organize verification of the security vulnerabilities to assess the degree of harm and the scope of the security vulnerabilities; for the security vulnerabilities in their upstream products or components, they should Notify the relevant product provider immediately.

(2) The relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within 2 days. The content of the submission should include the product name, model, version, and the technical characteristics, harm, and scope of the vulnerability that have security loopholes in network products.

(3) Remediation of network product security vulnerabilities should be organized in a timely manner. For product users (including downstream manufacturers) that need to take measures such as software and firmware upgrades, network product security vulnerabilities and repair methods should be promptly informed of the product users who may be affected, And provide the necessary technical support.

The network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology simultaneously reports relevant vulnerability information to the National Network and Information Security Information Notification Center and the National Computer Network Emergency Technology Coordination Center.

Encourage network product providers to establish a reward mechanism for the security vulnerabilities of the network products they provide, and reward organizations or individuals that discover and report the security vulnerabilities of the network products they provide.

Article 8: After　network operators discover or learn of security loopholes in their networks, information systems, and equipment, they shall immediately take measures to verify the security loopholes in a timely manner and complete repairs.

Article 9　: Organizations or individuals engaged in the discovery and collection of network product security vulnerabilities shall publish network product security vulnerabilities information to the society through network platforms, media, conferences, competitions, etc., they shall follow the necessary, truthful, objective, and conducive to preventing network security risks. And comply with the following regulations:

(1) Vulnerability information shall not be released before network product providers provide network product security vulnerabilities repair measures; if it is deemed necessary to release in advance, they shall jointly evaluate and negotiate with relevant network product providers, and report to the Ministry of Industry and Information Technology and the Ministry of Public Security, Released after evaluation organized by the Ministry of Industry and Information Technology and the Ministry of Public Security.

(2) It is not allowed to publish the details of the security loopholes in the network, information system and equipment used by the network operator.

(3) Do not deliberately exaggerate the hazards and risks of network product security vulnerabilities, and must not use network product security vulnerabilities to conduct malicious speculation or engage in fraud, extortion and other illegal and criminal activities.

(4) It is not allowed to publish or provide programs and tools specially used to exploit network product security vulnerabilities to engage in activities that endanger network security.

(5) When publishing security vulnerabilities in network products, repair or preventive measures shall be issued simultaneously.

(6) During major events held by the state, without the consent of the Ministry of Public Security, no information on security vulnerabilities of network products may be released without authorization.

(7) It is prohibited to provide undisclosed network product security information to overseas organizations or individuals other than network product providers.

(8) Other relevant provisions of laws and regulations.

Article 10:　Any organization or individual setting up a network product security vulnerability collection platform shall be filed with the Ministry of Industry and Information Technology. The Ministry of Industry and Information Technology promptly notified the Ministry of Public Security and the National Internet Information Office of the relevant vulnerability collection platforms, and announced the vulnerability collection platforms that have passed the record.

Encourage organizations or individuals that discover security vulnerabilities in network products to the Ministry of Industry and Information Technology Network Security Threat and Vulnerability Information Sharing Platform, National Network and Information Security Information Notification Center Vulnerability Platform, National Computer Network Emergency Technology Handling Coordination Center Vulnerability Platform, China Information Security The Vulnerability Database of the Evaluation Center shall submit information on the security vulnerabilities of network products.

Article 11　: Organizations engaged in the discovery and collection of network product security vulnerabilities shall strengthen internal management and take measures to prevent network product security vulnerabilities from leaking information and publishing in violation of regulations.

Article 12:　Network product providers who fail to take network product security vulnerabilities remediation or reporting measures in accordance with these regulations shall be dealt with by the Ministry of Industry and Information Technology and the Ministry of Public Security in accordance with their respective duties; constitute the 60th "Network Security Law of the People's Republic of China" Under the circumstances stipulated in the article, punishment shall be imposed in accordance with the regulations.

Article 13:　Network operators who fail to take network product security loophole repairs or preventive measures in accordance with these regulations shall be dealt with by the relevant competent authorities in accordance with the law; if the circumstances specified in Article 59 of the "Network Security Law of the People's Republic of China" are constituted, the regulations shall be followed. Be punished.

Article 14　The collection and release of network product security vulnerability information in violation of these regulations shall be handled by the Ministry of Industry and Information Technology and the Ministry of Public Security in accordance with their respective duties in accordance with the law; those that constitute the circumstances specified in Article 62 of the "Network Security Law of the People's Republic of China", Penalties are imposed in accordance with the regulations.

Article 15: Anyone who　exploits network product security loopholes to engage in activities that endanger network security, or provides technical support for others to use network product security loopholes to engage in activities that endanger network security, shall be dealt with by the public security organs in accordance with the law; it constitutes Article No. of the "Network Security Law of the People's Republic of China" Under the circumstances specified in Article 63, penalties shall be imposed in accordance with the provisions; if a crime is constituted, criminal responsibility shall be investigated in accordance with the law.

Article 16　These regulations shall come into effect on September 1, 2021.