Full text and interpretation of the “Regulations on the Management of Network Product Security Vulnerabilities” that will be implemented on September 1, 2021

Provisions on the Management of Security Vulnerabilities of Network Products

Article 1 In order to regulate the discovery, reporting, repair, and release of network product security vulnerabilities, and prevent network security risks, these Provisions are formulated in accordance with the “Network Security Law of the People’s Republic of China”.

Article 2 Providers and network operators of network products (including hardware and software) within the territory of the People’s Republic of China, as well as organizations or individuals engaged in activities such as the discovery, collection, and release of network product security vulnerabilities, shall abide by these Provisions.

Article 3 The Cyberspace Administration of China is responsible for coordinating and coordinating the management of network product security vulnerabilities. The Ministry of Industry and Information Technology is responsible for the comprehensive management of network product security vulnerabilities, and undertakes the supervision and management of network product security vulnerabilities in the telecommunications and Internet industries. The Ministry of Public Security is responsible for the supervision and management of network product security loopholes, and cracks down on illegal and criminal activities that take advantage of network product security loopholes in accordance with the law.

Relevant competent departments strengthen cross-departmental coordination, realize real-time sharing of network product security vulnerability information, and conduct joint assessment and disposal of major network product security vulnerability risks.

Article 4 No organization or individual may use network product security loopholes to engage in activities that endanger network security, and may not illegally collect, sell, or publish information on network product security loopholes; It provides technical support, advertising promotion, payment settlement and other assistance.

Article 5 Network product providers, network operators, and network product security vulnerability collection platforms shall establish and improve network product security vulnerability information receiving channels and keep them unblocked, and keep network product security vulnerability information receiving logs for no less than 6 months.

Article 6 encourages relevant organizations and individuals to notify network product providers of security vulnerabilities in their products.

Article 7 Network product providers shall perform the following network product security vulnerability management obligations, ensure that their product security vulnerabilities are promptly patched and reasonably released, and guide and support product users to take preventive measures:

(1) After discovering or learning that there are security vulnerabilities in the provided network products, it shall immediately take measures and organize the verification of the security vulnerabilities, and evaluate the degree of harm and the scope of influence of the security vulnerabilities; for the security vulnerabilities existing in its upstream products or components, it shall Immediately notify the relevant product provider.

(2) The relevant vulnerability information shall be submitted to the network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology within 2 days. The submitted content shall include the product name, model, version, and technical characteristics, harm, and scope of influence of the vulnerability that have network product security vulnerabilities.

(3) It should organize the repair of network product security vulnerabilities in a timely manner, and if it is necessary for product users (including downstream manufacturers) to take measures such as software and firmware upgrades, the network product security vulnerability risks and repair methods should be promptly notified to potentially affected product users. , and provide necessary technical support.

The network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology simultaneously reports relevant vulnerability information to the National Network and Information Security Information Notification Center and the National Computer Network Emergency Technology Handling Coordination Center.

Network product providers are encouraged to establish a reward mechanism for the security vulnerabilities of the network products they provide, and rewards are given to organizations or individuals who discover and report security vulnerabilities of the network products they provide.

Article 8 After network operators discover or learn of security loopholes in their networks, information systems and equipment, they shall immediately take measures to verify the security loopholes and complete repairs in a timely manner.

Article 9: Organizations or individuals engaged in the discovery and collection of network product security vulnerabilities shall release information on network product security vulnerabilities to the public through network platforms, media, conferences, competitions, etc. principles and abide by the following provisions:

(1) Vulnerability information shall not be released before network product providers provide network product security vulnerability repair measures; if it is deemed necessary to release in advance, it shall evaluate and negotiate with relevant network product providers, and report to the Ministry of Industry and Information Technology and the Ministry of Public Security , published by the Ministry of Industry and Information Technology and the Ministry of Public Security after evaluation.

(2) Not to publish the details of the security loopholes in the networks, information systems and equipment used by network operators.

(3) Do not deliberately exaggerate the harm and risk of network product security vulnerabilities, and must not use information on network product security vulnerabilities to conduct malicious speculation or conduct fraud, extortion and other illegal and criminal activities.

(4) Not to publish or provide programs and tools specially used to exploit the security loopholes of network products to engage in activities that endanger network security.

(5) When releasing network product security loopholes, it shall simultaneously release repairs or preventive measures.

(6) During the period of major national events, without the consent of the Ministry of Public Security, it is not allowed to release information on network product security vulnerabilities without authorization.

(7) Not to provide undisclosed network product security vulnerability information to overseas organizations or individuals other than network product providers.

(8) Other relevant provisions of laws and regulations.

Article 10 Any organization or individual establishing a network product security vulnerability collection platform shall file with the Ministry of Industry and Information Technology. The Ministry of Industry and Information Technology shall promptly notify the Ministry of Public Security and the State Internet Information Office of the relevant vulnerability collection platforms, and publish the vulnerability collection platforms that have passed the filing.

Organizations or individuals who find security vulnerabilities in network products are encouraged to report to the Ministry of Industry and Information Technology’s Network Security Threat and Vulnerability Information Sharing Platform, National Network and Information Security Information Notification Center Vulnerability Platform, National Computer Network Emergency Technology Handling Coordination Center Vulnerability Platform, China Information Security The evaluation center vulnerability database reports network product security vulnerability information.

Article 11 Organizations engaged in the discovery and collection of network product security vulnerabilities shall strengthen internal management and take measures to prevent information leakage and illegal release of network product security vulnerabilities.

Article 12 If a network product provider fails to take measures to remedy or report network product security vulnerabilities in accordance with these regulations, the Ministry of Industry and Information Technology and the Ministry of Public Security shall deal with it according to their respective responsibilities; If the circumstances stipulated in this article are met, punishment shall be imposed in accordance with the provisions.

Article 13 If a network operator fails to take network product security loophole repairs or preventive measures in accordance with these regulations, it shall be handled by the relevant competent departments according to law; if it constitutes a situation specified in Article 59 of the “People’s Republic of China Network Security Law”, the regulations shall be followed. be punished.

Article 14 Whoever collects and releases network product security vulnerability information in violation of these regulations shall be dealt with in accordance with the law by the Ministry of Industry and Information Technology and the Ministry of Public Security in accordance with their respective duties; punished in accordance with this provision.

Article 15 Those who use network product security loopholes to engage in activities that endanger network security, or provide technical support for others to use network product security loopholes to engage in activities endangering network security, shall be handled by the public security organs according to law; Those who fall under the circumstances prescribed in Article 63 shall be punished in accordance with the provisions; if a crime is constituted, criminal responsibility shall be investigated according to law.

Article 16 These regulations shall come into force on September 1, 2021.

picture

Interpretation of “Regulations on the Management of Network Product Security Vulnerabilities”

1. What is the purpose and significance of the promulgation of the Regulations on the Administration of Security Vulnerabilities of Network Products (hereinafter referred to as the Regulations)?

A: According to the relevant requirements of the Cybersecurity Law on vulnerability management, the Ministry of Industry and Information Technology, the State Internet Information Office, and the Ministry of Public Security jointly formulated the “Regulations”, the main purpose of which is to maintain national network security and protect the security of network products and important network systems. Stable operation; standardize behaviors such as vulnerability discovery, reporting, patching, and release, and clarify the responsibilities and obligations of network product providers, network operators, and organizations or individuals engaged in vulnerability discovery, collection, and release activities; Subjects in this category take advantage of their respective technologies and mechanisms to carry out work related to vulnerability discovery, collection, and release. The promulgation of the “Regulations” will promote the institutionalization, standardization and rule of law of network product security vulnerability management, improve the vulnerability management level of relevant subjects, guide the construction of standardized, orderly and dynamic vulnerability collection and release channels, and prevent major network security risks. Guarantee national network security.

2. What is the process of formulating the Regulations?

A: In 2019, the Ministry of Industry and Information Technology, together with relevant departments, established a special drafting group to conduct in-depth investigations, discussions, and demonstrations, study and analyze the current situation of vulnerability management at home and abroad, sort out the needs of vulnerability management in all aspects, and listen to the opinions of experts and scholars in the field of network security. Proposals to form a draft of the “Regulations” for comments. After that, it solicited opinions from network product providers, network operators, network security enterprises, and professional institutions for many times, and publicly solicited opinions from the public in June 2019, organized relevant departments, enterprises and institutions to focus on discussions, and fully adopted the suggestions of all parties. , to form a draft of the “Regulations” for review, which will be promulgated after being reviewed and approved by the Ministry of Industry and Information Technology and relevant departments.

3. What are the responsibilities and obligations of network product providers, network operators, and organizations or individuals engaged in activities such as vulnerability discovery, collection, and disclosure in the Provisions?

Answer: Network product providers and network operators are responsible for the vulnerabilities of their own products and systems. It is necessary to establish a smooth vulnerability information reception channel, to verify the vulnerabilities in a timely manner and complete the vulnerability repairs. At the same time, the “Regulations” also put forward specific time limit requirements for vulnerability reporting for network product providers, as well as the obligation to provide technical support to product users. For organizations and individuals engaged in activities such as vulnerability discovery, collection, and release, the “Regulations” clarifies that they may disclose product vulnerabilities in advance after evaluation and negotiation, not to release details of network operator vulnerabilities, to simultaneously release repair and preventive measures, and not to disclose undisclosed vulnerabilities. Eight specific requirements are provided to overseas organizations or individuals other than product providers.

4. In the Provisions, timely patching of network product security loopholes is a security obligation that network product providers should perform. What are the main considerations?

Answer: Information about network product vulnerabilities can be quickly spread in the society through network platforms, media, conferences, etc., jeopardizing the rights and interests of a large number of network users. It is necessary to take measures to prevent the expansion of risks or avoid damage. The “Cyber ​​Security Law” clearly states that when network product providers discover that their network products have security defects, loopholes and other risks, they should immediately take remedial measures, promptly notify users and report to relevant competent authorities in accordance with regulations. Therefore, the “Regulations” require network product providers to report vulnerability information to the Ministry of Industry and Information Technology within 2 days, make repairs in a timely manner, and inform users of the products that may be affected by the repair methods.

5. What are the management requirements for vulnerability collection platforms in the Regulations?

A: In recent years, many professional institutions, enterprises and social organizations have established vulnerability collection platforms for vulnerability discovery and collection. In practice, some vulnerability collection platforms have also exposed problems such as irregular internal operations and unauthorized release of vulnerabilities. Management needs to be strengthened. To this end, the “Regulations” clearly implement filing management for vulnerability collection platforms, and the Ministry of Industry and Information Technology will publish the vulnerability collection platforms that have passed the filing, and require the vulnerability collection platforms to take measures to prevent vulnerability information leakage and illegal release.

6. How to advance related work in the next step?

A: After the promulgation of the “Regulations”, the Ministry of Industry and Information Technology will implement it from the aspects of policy publicity, mechanism improvement, and platform construction. The first is to strengthen policy publicity and implementation, do a good job in policy consultation and work guidance for relevant enterprises and institutions, and guide vulnerability collection platforms to carry out vulnerability collection and publication in accordance with laws and regulations. The second is to improve the relevant working mechanism, establish and improve the working mechanism for important links such as vulnerability assessment, release, and notification, and clarify the filing method and reporting content of the vulnerability collection platform. The third is to strengthen the construction of the network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology, do a good job in information sharing with other vulnerability platforms and vulnerability databases, and improve the platform’s technical support capabilities.

The Links:   HMC1052L ETL81-050