Provisions on the Management of Network Product Security Vulnerabilities

ALL TRANSLATIONS ON THIS SITE ARE UNOFFICIAL AND ARE PROVIDED FOR REFERENCE PURPOSES ONLY. THESE TRANSLATIONS ARE CREATED AND CONTINUOUSLY UPDATED BY USERS –THEY ARE FREE TO VIEW, BUT PROPER ATTRIBUTION IS REQUIRED FOR DISTRIBUTION OF THESE OR DERIVATIVE TRANSLATIONS. PAGES WITHOUT IMAGES ARE WORKS IN PROGRESS.

English中文(简体)

Promulgation Date: 2021-7-12
Title: 关于印发网络产品安全漏洞管理规定的通知
Document Number:工信部联网安〔2021〕66号
Expiration date: 
Promulgating Entities:工业和信息化部 国家互联网信息办公室 公安部
Source of text: http://www.cac.gov.cn/2021-07/13/c_1627761607640342.htm

 

Article 1: These Provisions are drafted on the basis of the Cybersecurity Law of the PRC so as to regulate the discovery, reporting, patching, and publication of security vulnerabilities in network products and to defend against security risks.

Article 2: Providers of network products (including hardware and software) and network operators within the [mainland] territory of the PRC, as well as organizations and individuals involved in activities such as the discovery, collection, and publication of network product security vulnerabilities, shall comply with these Provisions.

Article 3: The State Internet Information Office is responsible for the overall planning and coordination of efforts to manage network product security vulnerabilities. The Ministry of Industry and Information Technology is responsible for the comprehensive management of network product security vulnerabilities and is to undertake oversight and management of network product security vulnerabilities in the telecommunications and Internet industries. The Ministry of Public Security is responsible for oversight and management of network product security vulnerabilities, combatting the use of internet product security vulnerabilities to carry out illegal and criminal activities.

Relevant regulatory departments are to strengthen cross-departmental coordination and cooperation to bring about real-time sharing of information on network product security vulnerabilities, to carry out joint assessment and disposition of major network product security vulnerabilities and risks.

Article 4: Organizations and individuals must not exploit network product security vulnerabilities to engage in activities that endanger network security; must not illegally collect, sell, or publish information on network product security vulnerabilities; and where one knows that others are exploiting network product security vulnerabilities to engage in activities that endanger network security, they must not provide them with technical support, advertising or promotions, payments and settlements, or other such assistance.

Article 5: The providers of network products, network operators, and platforms for the collection of network product security vulnerabilities shall establish and complete channels for receiving information on network product security vulnerabilities and keep them open, retaining information on network product security vulnerabilities for at least 6 months from its receipt.

Article 6: Relevant organizations and individuals are encouraged to report to network product providers on security vulnerabilities that exist in their products.

Article 7: Network product providers shall perform the following management obligations on network product security vulnerabilities to ensure that security vulnerabilities in their network products are promptly patched and published reasonably, and are to guide and support product users in employing preventative measures:

(1) After it is discovered or learned that security vulnerabilities exist in their network products, they shall immediately employ measures and organize testing and assessment of the extent of harm and degree of impact from the security vulnerability; and for security vulnerabilities that exist in upstream products or components, they shall immediately notify the provider of those products.

(2) Infomation on the relevant vulnerabilities shall be reported to the Ministry of Industry and Information Technology's network security threat and vulnerability information-sharing platform within 2 days; The content sent shall include the name, model number, and version of the products in which network product security vulnerabilities exist, as well as the vulnerability's technical characteristics, threat, scope of impact, and so forth.

(3) Shall promptly organize patching of network product security vulnerabilities, and where it is necessary for product users to employ software and firmware updates or other such measures, shall promptly inform them of the potential impact to users from the risks of the network product security vulnerability and the methods of patching, and provide necessary technical support.

The Ministry of Industry and Information Technology information sharing platform for network security threats and vulnerabilities is to synchronize information on relevant vulnerabilities with the National Network and Information Security Information Reporting Center and the National Computer Network Center for Technical Handling and Coordination of Emergency Response.

Providers of network products are encouraged to establish reward mechanisms for network product vulnerabilities in the products they provide, giving rewards to organizations or individuals who discover and report network product security vulnerabilities in their products.

Article 8: After network operators discover or learn of security vulnerabilities in their networks, information systems, or their equipment, they shall immediately employ measures to promptly conduct testing of the security vulnerabilities and complete patching

Article 9: Where organizations or individuals engaged in the discovery or collection of network product security vulnerabilities publicly disclose information on network product security vulnerabilities through online platforms, media, conferences, competitions, and other such methods, they shall comply with the principles of necessity, veracity, objectivity, and benefit to the prevention of network security risks, and obey the following provisions:

(1) Must not publish information on vulnerabilities before the network product provider provides measures to patch the vulnerabilities; where they find it is necessary to publish in advance, they shall jointly assess and negotiate with the network product providers and report to the Ministry of Industry and Information Technology and the Ministry of Public Security, and those ministries are to publish it after organizing an assessment.

(2) Must not publish detailed circumstances of security vulnerabilities that exist in the networks, information systems, and equipment that are in use by network operators.

(3) Must not deliberately expand the threat or risks of network product security vulnerabilities, and must not exploit information on network product security vulnerabilities to carry out malicious sensationalization or to conduct fraud, extortion, or other violations and crimes.

(4) Must not publish or provide procedures or tools specialized the exploitation of network product security vulnerabilities to engage in activities that endanger network security.

(5) When publishing network product security vulnerabilities, patches or preventative measures shall be published simultaneously.

(6) During the period the state hosts major activities, information on network product security vulnerabilities must not be published without authorization without the consent of the Ministry of Public Security.

(7) Information on network product security vulnerabilities that is not public must not be provided to overseas organizations or individuals other than the network product provider.

(8) Other relevant provisions of laws and regulations.

Article 10: Any organization or individual that sets up a platform for collecting network product security violations shall record it with the Ministry of Industry and Information Technology. The Ministry of Industry and Information Technology is to promptly report the vulnerability collection platform to the Ministry of Public Security and the State Internet Information Office, and announce it through the recorded platforms for the collection of vulneratibilities.

Organizations and individuals discovering network product security vulnerabilities are encouraged to report information related to the vulnerabilities to the Ministry of Industry and Information Technology's Network Threat and Information Sharing Platform, The National Network and Information Security Information Reporting Center's vulnerability platform, the National Computer Network Emergency Response Technical Handling and Coordination Center's vulnerability platform, and the China Information Security Testing Center's Vulnerability Database.

Article 11: Organizations engaged in the discovery and collection of network product security vulnerabilities shall strengthen internal management and employ measures to prevent information on network product security vulnerabilities from leaking or being illegally published.

Article 12: Where network product providers fail to employ measures for patching or reporting network product security violations in accordance with these Provisions, the Ministry for Industry and Information Technology and the Ministry of Public Security are to address it in accordance with law based on their respective duties; and where the circumstances provided for in article 60 of the Cybersecurity Law of the PRC are established, punishment is to be given in accordance with those provisions.

Article 13: Where network operators fail to employ measures to patch or prevent network product security violations in accordance with these provisions, the relevant regulatory department is to handle it in accordance with law; where the circumstances provided for in article 59 of the Cybersecurity Law of the PRC are established, punishment is to be given in accordance with those provisions.

Article 14: Where information on network product security vulnerabilities is collected or published in violation of these Provisions, the Ministry for Industry and Information Technology and the Ministry of Public Security are to address it in accordance with law based on their respective duties; and where the circumstances provided for in article 62 of the Cybersecurity Law of the PRC are established, punishment is to be given in accordance with those provisions.

Article 15: Where network product security vulnerabilities are exploited to engage in activities that endanger network security, or where technical support is provided for others to exploit network product security vulnerabilities to engage in activities that endanger network security, the public security organs are to handle it in accordance with law; where the circumstances provided for in article 63 of the Cybersecurity Law of the PRC are established, it is to be addressed in accordance with those provisions; and where a crime is constituted, criminal responsibility is to be pursued in accordance with law.

Article 16: These Provisions take effect on September 1, 2021.

 

About China Law Translate 1114 Articles
CLT is a crowdsourced, crowdfunded legal translation project that enables English speaking people to better understand Chinese law.

Be the first to comment

Leave a Reply

Your email address will not be published.


*