Black keyboard with Chinese flag on enter key showing vulnerability disclosure of zero-days by security researchers

Is China Looking to Stockpile Zero-Days? New Vulnerability Disclosure Rules Could Create Closed Pipeline From Security Researchers to CCP

New vulnerability disclosure rules announced by the Chinese government have raised the prospect of “zero-day hoarding,” as anything discovered in the country must now be reported to the CCP and to no one else (in most cases). This includes a rule forbidding disclosures to the general public before a vendor has had a “reasonable chance” to patch the issue.

The new rules will, at the very least, threaten to disrupt working relationships between Chinese security researchers and “bug bounty” programs based in the West. The more worrisome possibility is that the Chinese government will collect and sit on zero-days, holding them in reserve for use by its state-backed hacking groups rather than disclosing them to software vendors and to the public so that appropriate safety measures can be taken.

Is the Chinese government planning to hoard zero-days?

All of this traces back to new vulnerability disclosure rules proposed by the Cyberspace Administration of China (CAC), which are slated to go into effect on September 1. The new rules make it illegal for anyone but the government to “publish or sell” vulnerabilities, requires everyone in the country to report discovered vulnerabilities within two days, prohibits disclosures before a vendor has had a “reasonable chance” to patch the issue (with case-by-case exemptions potentially granted by the Ministry of Industry and Information Technology), and prohibits any type of vulnerability disclosure to “overseas organizations” among other new requirements.

When researchers make a discovery, the new vulnerability disclosure process is rigid and requires them to go to the government first. Researchers themselves could face criminal penalties from the Ministry of Public Safety should they step outside the bounds of the formal reporting process. Any new zero-day discovered must be reported to the MIIT within two days, and in most cases it will then be up to the agency as to how and when the vendor is notified of the exploit. Naturally, the worry is that the government will simply keep many of these vulnerabilities quiet and keep them on hand for use by their own state-affiliated hackers. If the government chose inaction, for whatever reason it might be, it would be illegal for a resident to go ahead with a public disclosure.

Dr. Chenxi Wang, General Partner, Rain Capital (former Forrester VP of Research and Carnegie Mellon professor), elaborates on the potential problems created by the rule: “However, the new requirements on how security researchers should disclose vulnerabilities are a bit heavy-handed. For instance, #9 in the new regulation prohibits security researchers (those who discover security vulnerabilities) from sharing non-public vulnerability information with overseas organizations or individuals. The one exception is with the product owners … This particular clause is controversial, to say the least. It will limit Chinese security researchers’ abilities to collaborate with their international peers. Even sharing research findings in a non-public vulnerability in a conference such as Blackhat or Defcon will be considered a violation of the law. It may potentially stifle security research in China and isolate Chinese security professionals from the international community.”

The new state of affairs will also greatly complicate the existing relationships between Chinese security researchers and Western bug bounty platforms, which has been a mutually beneficial arrangement to date. The new rules will forbid Chinese researchers from contacting these platforms about zero-days; this relationship is unlikely to continue unless the bug bounty platforms agree to notify the Chinese government within two days of receiving a vulnerability disclosure from a researcher in the country. However, some analysts see this as a potential point of backfire against the government; if the many active Chinese security researchers see their incomes reduced due to restrictions on vulnerability disclosures, it might induce “brain drain” as they opt to migrate out of the country.

New vulnerability disclosure rules could have unintended side effects

Another possible unintended consequence, pointed out by The Register, is that a Chinese government archive of unpublished zero-days could itself turn into a target for hackers with potentially catastrophic consequences if it fell into the wrong hands. There is also the possibility of an insider leaking this information, particularly given how valuable it would be and what sort of amounts they might be offered for it.

Unlike Russia, the Chinese government is not known to unofficially sanction criminals within its borders that restrict themselves to ransacking foreign adversaries. To the contrary, the government exerts very tight control over how the internet is used and the flow of data over its borders. This might incentivize domestic hacking talent to target this potential vault of zero-days, either to exploit themselves or to sell to the highest bidders.

China’s state-backed APT groups do not make news as often as their Russian counterparts, but are among the most skilled in the world. An example of what they might do with a trove of undisclosed zero-days can be seen in the recent wave of attacks on Pulse Connect Secure VPNs, thought to be a coordinated effort by several of these groups that is hitting both government and private industry targets throughout the US and Europe. There is also at least some evidence that China’s APT groups have moved into the lucrative ransomware-for-profit game as of 2021, with links to attacks on a number of online gambling operations that have no intelligence value.