China’s evolving cybersecurity regulations are reshaping the global landscape for software vulnerability disclosure, dramatically expanding state control over newly discovered flaws.
Under the “Regulations on the Management of Network Product Security Vulnerabilities” (RMSV), enacted in September 2021, companies operating in China must report software vulnerabilities to the Ministry of Industry and Information Technology (MIIT) within forty-eight hours of discovery.
The new framework prohibits public disclosure or proof-of-concept release before a patch is available, unless coordinated with the product owner and government, ensuring regulators have an early window into vulnerabilities before they become public knowledge.
Regulatory Overhaul Gives Security Agencies
This centralized approach stands in stark contrast to the United States’ decentralized, voluntary method, where researchers and firms can disclose vulnerabilities freely to companies or via public platforms.
In China, however, these discoveries are routed first to MIIT, which subsequently shares the data with the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) and the Ministry of Public Security (MPS). This chain supports both defensive cyber activities and potential offensive operations.
Entities with offensive missions including the Ministry of State Security’s (MSS) 13th Bureau, state-linked contractors, and academic research centers tied to military hacking campaigns can gain advanced access to unpatched software vulnerabilities.
This access enables the rapid assembly of exploit toolkits to compromise targeted systems, enhancing operational effectiveness in cyber operations.
Shift in Disclosure Rules
Official statistics reveal that 151 private cybersecurity companies, employing at least 1,190 researchers, supply nearly 2,000 software vulnerabilities to the MSS each year, over a hundred of which are deemed “critical.”
The MIIT further incentivizes vulnerability discovery with research grants, ensuring a continuous flow of fresh exploits.
Since the adoption of these regulations, analysts have observed a sharp drop in public disclosure of industrial control system (ICS) vulnerabilities; only ten ICS vulnerabilities were published in 2022 compared to hundreds in prior years, underscoring a strategic shift in information flow and a widening gap between the number of discovered and disclosed vulnerabilities.
For foreign companies, compliance with China’s rules creates additional challenges. At least some multinational firms are now submitting internal vulnerability findings to Chinese regulators, often without reciprocal visibility into vulnerabilities discovered by others in China related to their own products.
This deprives them of timely intelligence while potentially fueling adversarial cyber arsenals. By aggregating both voluntary and mandatory disclosures and sharing them between multiple state entities, China’s cyber defense and intelligence apparatus can prioritize offensive and defensive use of vulnerabilities, sometimes holding back publication to preserve operational advantage.
Meanwhile, reports suggest a marked increase in zero-day vulnerabilities exploited by Chinese state-linked actors since the RMSV’s implementation.
The MIIT’s Cybersecurity Threat and Vulnerability Information Sharing Platform, while offering remediation support to domestic companies, consolidates oversight over vulnerability management and, potentially, deeper involvement in private-sector codebases.
This centralized posture not only raises the bar for national defense but also amplifies the state’s surveillance and offensive hacking capabilities.
As China continues to position software vulnerabilities as critical strategic resources, the global cyber ecosystem must grapple with the long-term security implications of this shift in vulnerability governance.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
