New America
Cybersecurity Initiative

Translation: Chinese Rules for Managing Cybersecurity Vulnerabilities Published in Draft Form

Specifying response times and reporting requirements for vulnerabilities and mitigation measures
Blog Post
Shutterstock
By 

Dahlia Peterson

 and 

Rui Zhong

June 19, 2019

The Ministry of Industry and Information Technology on June 18 published draft provisions specifying how network product or service providers, network operators, and third-party organizations engaged in vulnerability analysis should handle to cybersecurity vulnerabilities.

The provisions are open for public comment for one month. They join related “Public Internet Cybersecurity Threat Monitoring and Mitigation Measures” from 2017 that set up cybersecurity threat sharing mechanisms.

These draft provisions appear designed to implement existing requirements, including:

  • Article 22 of the Cybersecurity Law, which requires network product or service providers, “when discovering that their products and services have security flaws or vulnerabilities, [to] immediately adopt remedial measures, and follow provisions to promptly inform users and report to the competent departments”;
  • Article 25 of the Cybersecurity Law, which requires network operators to “formulate emergency response plans for cybersecurity incidents and promptly address system vulnerabilities, computer viruses, cyber attacks, network intrusions, and other such cybersecurity risks”; and
  • Article 26 of the Cybersecurity Law, which requires third-party organizations working with cybersecurity assessments or vulnerabilities to follow “relevant national provisions.”

These draft provisions are the latest in a string of draft policy documents issued by Chinese authorities around the two year anniversary of Cybersecurity Law going into effect June 1, 2017. DigiChina has also translated the recent “Cybersecurity Review Measures (Draft for Comment),” “Data Security Management Measures (Draft for Comment),” “Critical Network Equipment Security Testing Implementing Measures (Draft for Comment),” and “Personal Information Outbound Transfer Security Assessment Measures (Draft for Comment).” –Ed.

[Chinese-language original: 《网络安全漏洞管理规定(征求意见稿)》]

TRANSLATION

Soliciting Public Opinion on ‘Provisions for Cybersecurity Vulnerabilities Management (Draft for Comment)’

Published: 2019-06-18

Source: Cybersecurity Management Bureau

In order to implement the Cybersecurity Law of the People's Republic of China and strengthen management of cybersecurity vulnerabilities, the Ministry of Industry and Information Technology and relevant departments drafted the “Provisions for Cybersecurity Vulnerabilities Management (Draft for Comment),” which is intended to be a normative document. It is now open for public comment. If you have any comments or suggestions, please provide feedback before July 18, 2019.

  • Telephone: 010-66022093
  • Fax: 010-66022774
  • Email: wangmeifang@miit.gov.cn
  • Address: Cybersecurity Management Bureau, Ministry of Industry and Information Technology, No. 13 West Chang’an Avenue, Xicheng District, Beijing 100804. Please write “‘Provisions for Cybersecurity Vulnerabilities Management (Draft for Comment)’ opinion feedback” on the envelope.

Ministry of Industry and Information Technology
June 18, 2019

Provisions for Cybersecurity Vulnerabilities Management (Draft for Comment)

Article 1: To regulate reports, information dissemination, and other activities regarding cybersecurity vulnerabilities (hereinafter called “vulnerabilities”); in order to ensure that network product, service, and system vulnerabilities are promptly patched; to raise the standard for cybersecurity protection; and in accordance with the Cybersecurity Law and the National Security Law; these provisions are formulated.

Article 2: Network product or service providers and network operators, as well as persons or organizations (hereafter called “third-party organizations”) conducting detection, assessment, collection, and publication of vulnerabilities, or hosting related competitions, within the mainland territory of the People's Republic of China should abide by these Provisions.

Article 3: After discovering or learning of vulnerabilities in their network products, services, and systems, network product or service providers and network operators should abide by the following provisions:

  1. Immediately verify the vulnerability, and issue a patch or preventive measure for a relevant network product within 90 days. A patch or preventive measure for a relevant network service or system should be released within 10 days.
  2. If the user or relevant technical partners are required to patch or take preventive measures toward vulnerabilities in the relevant network products, services, and systems, then the attendant risks and the patching or preventative measures to be undertaken by the users or relevant technical partners will be published, or shared by customer service, to all potentially affected users and relevant technical partners. They will provide the necessary technical support, and report the relevant vulnerabilities to the Ministry of Industry and Information Technology Cybersecurity Threat Information Sharing Platform. This is all to be done within 5 days.

Article 4: The Ministry of Industry and Information Technology, the Ministry of Public Security, and the competent departments of relevant industries, in accordance with their respective responsibilities, organize and urge network product and service providers and network operators to adopt patching or preventive measures.

Article 5: The Ministry of Industry and Information Technology, the Ministry of Public Security, the Cyberspace Administration of China, and other relevant departments realize real-time sharing of information on vulnerabilities.

Article 6: Third-party organizations or individuals that publish information on vulnerabilities to the public through websites, media, meetings, etc., should follow the principles of necessity, truth, objectivity, and conduciveness to preventing and responding to cybersecurity risks, and comply with the following provisions:

  1. Before network product or service providers or network operators release patches or preventive measures to society or users, any relevant vulnerability information may not be disclosed.
  2. Do not intentionally exaggerate a vulnerability’s harms and risks.
  3. Do not publish or provide methods, procedures, or tools specifically designed to exploit network product, service, or system vulnerabilities which would harm cybersecurity.
  4. Coordinate the release of vulnerability patches or preventive measures.

Article 7: Third-party organizations should strengthen internal management and perform the following management duties in order to protect against leaks of vulnerability information or publication of vulnerability information by internal personnel in violation of regulations:

  1. Designate a vulnerability management department and responsible party.
  2. Establish an internal verification mechanism for vulnerability information publication.
  3. Adapt necessary measures to protect against vulnerability information leaks.
  4. Periodically conduct confidentiality training for staff members.
  5. Establish internal accountability measures.

Article 8: When network product or service providers or network operators do not adopt vulnerability patching or preventative measures and communicate them to the public or users according to these Provisions, the Ministry of Industry and Information Technology, the Ministry of Public Security, and other relevant authorities organize discussions or administrative punishment in accordance with provisions including Articles 56, 59, and 60 of the Cybersecurity Law.

Article 9: When third-party organizations publish vulnerability information in violation of these Provisions, the Ministry of Industry and Information Technology, the Ministry of Public Security and other relevant authorities organize discussions or, in accordance with provisions including Articles 62 and 63 of the Cybersecurity Law, render administrative punishments. When it constitutes a crime, an investigation into criminal responsibility is conducted according to law. If network product or service providers or network operators and providers cause economic or reputational damages, they bear civil liability according to law.

Article 10: Following the discovery of vulnerabilities in network products, services, or systems, third-party organizations and individuals are encouraged to promptly upload relevant details to vulnerability collection platforms such as the China National Vulnerability Database (国家信息安全漏洞共享平台) and the China National Vulnerability Database of Information Security (国家信息安全漏洞库). Vulnerability collection platforms should comply with Articles 6 and 7 of these Provisions.

Article 11: Any individuals or organizations discovering suspected violations of these Provisions, have the right to report to the Ministry of Industry and Information Technology and the Ministry of Public Security.

Article 12: These Provisions take effect upon publication.