【Source】http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057724/n3057728/c7005976/content.html 【Comment Period】Through July 18, 2019
Article 1: These Provisions are formulated on the basis of the "National Security Law" and the "Cybersecurity Law" so as to conduct such as reporting and publication of information on network security vulnerabilities (hereinafter "vulnerabilities"); to ensure that vulnerabilities in network products, services, and systems are promptly patched; and to raise the level of national security protections.
Article 2: Providers of network products or services, and network operators, as well as organizations carrying our activities related to testing, assessing, collecting, and publishing vulnerabilities, and related competitions (hereinafter third-party organizations) or individuals, shall obey these Provisions.
Article 3: After providers of network products or services, or network operators, discover or become aware that vulnerabilities exist in their network products, services or systems, they shall obey the following provisions:
(1) Immediately verify the vulnerabilities, and shall employ measures to patch or prevent the vulnerabilities in relevant network products within 90 days, or shall employ measures to patch or prevent vulnerabilities in services or systems with 10 days;
(2) Where it is necessary for users or relevant technical partners to employ measures to patch or prevent vulnerabilities, then within 5 days of employing measures to patch or prevent the vulnerabilities, the vulnerability risk and the patch or preventative measures that users and relevant technical partners need to employ shall be published to the public, or all users and technical partners that might be impacted shall be notified through methods such as customer service, the necessary technical support shall be provided, and the circumstances of the vulnerability shall be sent to the Ministry of Industry and Information network security threat information sharing platform.
Article 4: The Ministry of Industry and Information, Ministry of Public Security, and relevant departments for industries are to follow their own duties to organize and urge providers of network products and services, and network operators, to employ measures to patch and prevent vulnerabilities.
Article 5: The Ministry of Industry and Information, Ministry of Public Security, State Internet Information Office, and other relevant departments are to bring about real-time information sharing on vulnerabilities.
Article 6: Third-party organizations or individuals publishing information on vulnerabilities to public through means such as websites, media, or meetings, shall comply with the principles of necessity, veracity, objectivity, and being conducive to preventing and responding to network security risks, and obey the following provisions:
(1) Information on vulnerabilities must not be published before providers of network products or services, or network operators, have published patch or prevention measures to the public or to users;
(2) The harm and risk of vulnerabilities must not be deliberately increased;
(3) Methods, procedures, and tools, specially used to exploit vulnerabilities in network products, services, and systems to engage in activities that endanger network security security must not be published or provided.
(4) Measures patching or preventing vulnerabilities shall be released in sync.
Article 7: Third-party organizations shall strengthen internal management, and perform the following management obligations to prevent vulnerabilities, information, information leaks, and internal personnel publishing information on vulnerabilities in violation of rules:
(1) Specify departments and persons responsible for managing vulnerabilities;
(2) Establish internal review mechanisms for publication of information on vulnerabilities;
(3) Employ necessary measures for preventing vulnerabilities and information leaks;
(4) Periodically conduct secrecy education for internal personnel;
(5) Formulating internal accountability systems.
Article 8: Where the providers of network products or services, or network operators, do not follow these provisions to employ measures to patch or prevent vulnerabilities and publish them to the public or users, the Ministry of Industry and Information, Ministry of Public Security, and other relevant departments are to arrange for them to be spoken with or given administrative punishments in accordance with their duties and based on articles 56, 59, and 60, of these the 'Cybersecurity Law'.
Article 9: Where third-party organizations violate these Provisions by publishing information to the public, the Ministry of Industry and Information, Ministry of Public Security, and other relevant departments are to arrange for them to be spoken with, or given administrative punishments on the basis of articles 62 and 63 of the "Cybersecurity Law" and other such provisions; where a crime is constituted, criminal responsibility is pursued in accordance with law; and where economic or reputation harms are caused to providers of network products or services, or network operators, civil responsibility is borne in accordance with law.
Article 10: Encourage third-party organizations and individuals to promptly report circumstances of vulnerabilities they learn of in network products, services, and systems to the national information security vulnerability sharing platform, the national information security vulnerability archive, and other platforms for the collection of vulnerabilities. The platform for collection of vulnerabilities shall comply with articles 6 and 7 of these Provisions.
Article 11: All organizations or individuals discovering circumstances suspected of violated these Provisions have the right to report it to the Ministry of Industry and Information or Ministry of Public Security.
Article 12: These Provisions take effect on the date of printing and issue.