Recently, the Ministry of Industry and Information Technology ("MIIT") and two other authorities issued the Provisions on the Administration of Network Product Security Vulnerabilities (the "Provisions"), which shall come into effect on September 1, 2021.

The Provisions state that, no organization or individual may use network product security vulnerabilities to engage in activities that endanger network security, or illegally collect, sell, or publish information on network product security vulnerabilities. Anyone who knows that others use network product security vulnerabilities to engage in activities that endanger network security may not provide technical support, advertising, payment settlement and other assistance for them. According to the Provisions, network product providers, network operators, and platforms collecting network product security vulnerabilities shall establish and improve channels for receiving network product security vulnerability information and make such channels available, and retain network product security vulnerability information reception logs for at least six months. The Provisions also specify eight requirements for organizations and individuals engaged in activities such as vulnerability discovery, collection, and release, among others, they are prohibited from providing undisclosed vulnerabilities to overseas organizations or individuals other than product providers.

(Source: Ministry of Industry and Information Technology)