Chinese researchers are significant contributors to vulnerability disclosure programs, both in volume and quality. When permitted by China’s government to compete in the vulnerability discovery competition Pwn2Own, for example, Chinese researchers dominated.
But a recent change in Chinese laws put new burdens on researchers that could have disincentivized participation. A group from the Atlantic Council’s Cyber Statecraft Initiative sifted through the thanks-for-telling-us notes included with patches for five large vendors and found that, tentatively, there was no effect.
In July 2021, China implemented the Regulations on the Management of Network Product Security Vulnerabilities law, which included a provision saying all “network security” vulnerabilities needed to be reported to vendors and, within two days of that, the government’s own Ministry of Industry and Information Technology (MIIT).
The law has already felled one of the country’s largest companies: Alibaba. The government suspended an information-sharing agreement with its cloud subsidiary after it failed to alert the MIIT about a Log4j vulnerability it disclosed in Apache.
“There’s some ambiguity about who the law covers, in certain cases, it refers to companies and vendors. In other cases, [it] refers to individuals, but it’s not consistent,” Stewart Scott, the lead researcher on the report, told SC Media before his unveiling the research at Black Hat.
But, with an asterix, the ambiguity and legal minefield do not appear to have caused a chilling effect on Chinese participation in disclosure. Scott and team went through the patch reports for F5, VMware, Apple, Microsoft and Red Hat, and tallied the company names associated with the researchers who discovered bugs. What they found was very little change. F5 and VMware had no Chinese companies before or after the law was announced, published or implemented. Apple and Red Hat generally trended to more Chinese disclosures. Microsoft, curiously, had a steep decline in July 2020, the month the law was announced: 59 vulnerabilities one month, 11 the next.
Scott said that may or may not be attributed to the Chinese law, noting that there were other changes going on at the time in China and, importantly, that there was no way to tell when a vulnerability was reported to Microsoft. Researcher-enforced deadlines are often 30 days to 90 days after reporting — all of which would be squarely before the July.
That difficulty in determining exactly when a vulnerability was submitted may be effecting the data overall.
“It might even be too early to tell if there is a significant supply shock from the law, let alone like what that might turn into,” Scott said.
The attributions in the patch reports are only intended to be a public thank you, and were not designed to be easily digestible as a data source. They are not standardized in any way (“There were many different spellings of the same four- to five-letter companies,” said Scott). In the future, the researchers said, there may be a lot of value in treating these like a formal data source.
“Bug reporting isn't ephemeral, anymore. It’s not enough of say there was a problem, we fixed it. The length of patch windows to get users to adopt patches, the time and quality it takes to build a patch — these are all really significant sources of information about how a vendor behaves, how significant a vulnerability is, how secure is that software product,” said Trey Herr, director of the Atlantic Council's Cyber Statecraft Initiative, who worked on and presented the research with Scott.