China's infosec researchers obeyed Beijing and stopped reporting vulns ... or did they?

The number of vulnerability reports provided by Chinese information security researchers has fallen sharply, according to research by think tank The Atlantic Council, which also found a strangely commensurate increase in bug reports from unknown sources.

The Council explored the state of Chinese infosec research in the context of the 2021 introduction of "Regulations on the Management of Security Vulnerabilities of Network Products" (RMSV) that require local researchers to report any vulns they find to local authorities. As The Register has reported, the purpose of the regulations may be to allow China's government to stockpile vulnerabilities that could be used for strategic or offensive operations. A ban on Chinese researchers participating in international infosec competitions is thought to have been imposed for similar reasons.

In a paper on the matter titled "Dragon tails: Preserving international cybersecurity research", the Council notes that China's infosec researchers are prolific and capable, with Alibaba's detection of the Log4J bug being a prime example of their sterling work.

However the document also notes that Alibaba was sanctioned by Chinese authorities for disclosing the flaw to the Apache Foundation. The Council's team therefore set out to determine whether China's requirements to stem sharing of vulnerability reports is harming the global community.

To do so, researchers looked at bug reports from organizations including Microsoft, Apple, VMware, F5,and Red Hat, as those entities name-check the sources of vulnerabilities they report.

That method found a big drop in vuln reports from China reaching Microsoft, but also "an increase of similar size and significance in contributions tagged either to individuals, companies with no known country tag, or no acknowledgement at all."

The Council's researchers hypothesize that could indicate Chinese researchers instead revealed bugs anonymously.

At Red Hat, bug reports from China dropped off well before 2021 and have remained low ever since. The paper's authors believe that may be due to China forking open source projects and spending less time looking at efforts initiated offshore.

One marked trend observed across all vendors and techs was the near disappearance of Chinese security company Qihoo 360 from bug reports just after July 2020 – when the US Department of Commerce added the company to its Entity List of companies to which it applies trade sanctions.

Again, an uptick in anonymized bug reports emerged not long after Qihoo 360 was sanctioned.

• VMware reveals critical hypervisor bugs found at Chinese white hat hacking comp. One lets guests run code on hosts
• Log4j RCE: Emergency patch issued to plug critical auth-free code execution hole in widely used logging utility
• China requires 'self-correction' of monopolistic behaviour by 34 local web giants

The paper concludes that the RMSV has had a measurable impact, and that if similar laws were passed elsewhere it could lead to "potential isolation of significant subsets of the research community from the larger global supply of vulnerability disclosures."

"This kind of fear and fragmentation only adds risk to an already difficult to mitigate landscape," the paper adds.

The Council therefore calls for action.

"The United States and its allies should see the disclosure of Log4Shell as a call to action to improve the scale and resilience of the global supply of vulnerability disclosure," the paper declares. "Domestic legal changes to improve vulnerability research in single countries are useful, but they are insufficient to address the strategic ramifications of a potential supply shock."

The authors therefore recommend harmonizing vulnerability disclosure laws to allow cross-border sharing, international investment in open source vulnerability research tools, and tracking disclosure trends to spot gaps. Other suggestions include establishment of international processes that facilitate anonymous vulnerability reporting, and using national bug bounty programs to incentivize research on important software.

The report ends with the optimistic observation that infosec researchers generally behave ethically, as shown by Alibaba's discovery and reporting of Log4J "in spite of the RMSV and other legal contexts and with no apparent profit motive."

"That kind of relationship, writ large across the security ecosystem, is one well worth preserving." ®