Network product providers | Establish a reward mechanism for providing network product security vulnerabilities and give rewards to any organization or individual that discovers and notifies of network product security vulnerabilities. | n Establish and maintain open channels for receiving reports on security vulnerabilities in network products, and keep logs of reported security vulnerabilities for no less than six months; n Upon detection or becoming aware of security vulnerabilities in provided network products, immediately organize to verify suspected vulnerabilities, assess the extent of damage and scope of impact, and organize to rectify such vulnerabilities in a timely manner; n File relevant security vulnerabilities within two days with the Network Security Threat and Vulnerabilities Information Sharing Platform of the Ministry of Industry and Information Technology; n Notify the relevant upstream providers if there are upstream products or components that have security vulnerabilities; n Notify downstream users (including downstream manufacturers) of potential security vulnerabilities and rectification methods and provide technical support if it is necessary for product users (including downstream manufacturers) to take remedial measures such as software and firmware upgrades. | n Be ordered to make corrections and given warnings; n Be imposed with a fine of CNY50,000 to CNY500,000 if they refuse to make corrections, or severe consequences are caused therefrom such as endangering cybersecurity; n The person directly in charge shall be subject to a fine of CNY10,000 to CNY100,000. |
Network operators | | n Establish and maintain open channels for receiving reports on network security vulnerabilities, keep logs of reported security vulnerabilities for no less than six months; n Upon detection or becoming aware of any security vulnerabilities in networks, information systems and equipment, take immediate measures to verify such vulnerabilities and repair the same in a timely manner. | General network operators: n Be ordered to make corrections and given warnings; n Be imposed with a fine of CNY10,000 to CNY100,000 if they refuse to make corrections, or severe consequences are caused therefrom such as endangering cyber security; n The person directly in charge shall be subject to a fine of CNY5,000 to CNY50,000; Critical information infrastructure operators: n Be ordered to make corrections and given warnings; n Be imposed with a fine of CNY10,000 to CNY1,000,000 if they refuse to make corrections, or severe consequences are caused therefrom such as endangering cyber security; n The person directly in charge shall be subject to a fine of CNY10,000 to CNY100,000. |
Organizations or individuals engaged in activities such as discovering, collecting and disclosing security vulnerabilities in network products | | n Establish a platform for collecting network product security vulnerabilities and file the platform with MIIT; and n Establish and maintain open channels for receiving reports on security vulnerabilities in network products, and keep logs of reported security vulnerabilities for no less than six months; n Strengthen internal management and take measures to prevent the leakage and unlawful disclosure of vulnerability information; n Publication of vulnerability information to the public through network platforms, media, meetings, contests or otherwise shall be consistent with principles of necessity, authenticity, objectivity and conducive to the prevention of cybersecurity risks; and n Shall not publicize vulnerability information before the network product provider takes measures to rectify the security vulnerabilities in the network products; if it is deemed necessary to publicize such information in advance, negotiate and cooperate with the network product provider to conduct a joint assessment, and report the same to the MIIT and the Ministry of Public Security, which shall be responsible for the publication of such information after assessment; n Shall not publicize details of security vulnerabilities in networks, information systems, and equipment that are currently in use by network operators; n Shall not deliberately exaggerate the hazards and risks of security vulnerabilities in network products, and shall not conduct illegal or criminal activities by using the information of security vulnerabilities in network products, such as malicious speculation, fraud, extortion, etc.; n Shall not publicize or provide programs and tools specifically for use in activities that endanger cybersecurity by taking advantage of security vulnerabilities in network products; n Shall publicize security vulnerability remedial or preventive measures at the same time when publicizing security vulnerabilities in network products; n Shall not publicize security vulnerabilities in network products during major national events without the approval of the Ministry of Public Security; and n Shall not provide undisclosed information about security vulnerabilities in network products to overseas organizations or individuals other than to the network product provider. | n Be ordered to make corrections and given a warning; n Be imposed with a fine of CNY10,000 to CNY100,000 if they refuse to make corrections, or severe consequences are caused therefrom such as endangering cyber security; n Be ordered by the competent department to suspend the relevant business, cease business for rectification, close websites, and revoke relevant business permits or business licenses; n The person directly in charge and any other person directly liable shall be subject to a fine of CNY5,000 to CNY50,000. |
Other organizations or individuals | n Notify network product providers of security vulnerabilities in their products; n File security vulnerabilities information of network products with the Network Security Threat and Vulnerabilities Information Sharing Platform of the Ministry of Industry and Information Technology, the Vulnerabilities Platform of the National Network and Information Security Information Notification Center, the Vulnerabilities Platform of the National Computer Network Emergency Response Technical Team/Coordination Center, and the Vulnerabilities Database of the China Information Security Assessment Center. | n Shall not engage in activities endangering cybersecurity by using security vulnerabilities in network products; and n Shall not unlawfully collect, sell or publicize information of security vulnerabilities in network products; and n Shall not provide technical support, advertising and promotion, payment or settlement services or any other assistance to any other person who they know to be using security vulnerabilities in network products to engage in activities that endanger cybersecurity. | Where the case does not constitute a crime: n Be confiscated of illegal gains, detained for fewer than 5 days; may concurrently be subject to a fine of CNY50,000 to CNY500,000; n In serious cases, be detained for 5 to 15 days and subject to a fine of CNY100,000 to CNY1,000,000. Where an entity commits any of the acts specified in the preceding paragraph: n Be confiscated of illegal gains; n Be subject to a fine of CNY100,000 to CNY1,000,000; n The person directly in charge and any other person directly liable shall be penalized in accordance with the provisions of the preceding paragraph. Relevant personnel: n Any person who has been subject to public security administration penalty shall not serve in key positions concerning cyber security management and network operation within 5 years; and n Any person who has been subject to criminal penalty shall not serve in key positions concerning cyber security management and network operation for life. |