Starting September 1, 2021, the Chinese government will require that any Chinese citizen who finds a zero-day vulnerability must pass the details to the Chinese government and must not sell or give the knowledge to any third-party outside of China (apart from the vulnerable product’s manufacturer).
Brief details are provided in a report by the Associated Press (AP) published Tuesday, July 13, 2021. No source is provided beyond the statement, “No one may ‘collect, sell or publish information on network product security vulnerabilities,’ say the rules issued by the Cyberspace Administration of China and the police and industry ministries.” The report is unclear over whether private research is being banned, or whether the result of private research is being controlled. The latter is the most likely.
