China’s Approach to Software Vulnerabilities Reporting
The Lawfare Podcast
The Lawfare Institute
4.7 • 6.4K Ratings
🗓️ 19 October 2023
⏱️ 46 minutes
🧾️ Download transcript
Summary
In July 2021, the Chinese government published its “Regulations on the Management of Network Product Security Vulnerabilities.” These rules require researchers to inform the government of all flaws in code within 48 hours of their discovery, effectively supporting efforts to stockpile software vulnerabilities, which can then be used for offensive cyber operations.
Lawfare Fellow in Technology Policy and Law Eugenia Lostri sat down with two guests who recently authored a report on how China manages software vulnerabilities. Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub and a consultant at Krebs Stamos Group. Kristin del Rosso is a public sector field CTO at IT security company Sophos. They talked about how companies have adjusted to China’s rules, how their system compares to the U.S. voluntary approach, and the incentives to collect vulnerabilities for offensive operations.
Support this show http://supporter.acast.com/lawfare.
Hosted on Acast. See acast.com/privacy for more information.
Transcript
Click on a timestamp to play from that location
| 0:00.0 | The following podcast contains advertising to access an ad-free version of the LawFair |
| 0:07.2 | podcast become a material supporter of LawFair at patreon.com slash LawFair, that's patreon.com slash |
| 0:16.9 | LawFair. Also check out LawFair's other podcast offerings, rational security, chatter, LawFair |
| 0:25.6 | no bull and the aftermath. So a bunch of organizations that have often |
| 0:36.3 | submissions are getting access to the information that is now being mandatoryly collected through |
| 0:42.2 | this new MIT database. And so there's a lot of content to visualize and imagine, but the |
| 0:48.7 | short version is there used to be voluntary disclosure. You used to be able to support |
| 0:53.5 | the intelligence services if you wanted to. And under the new system, if you're doing research |
| 0:59.1 | on software vulnerabilities in China, you are unfortunately in de facto supporting those |
| 1:05.2 | often submissions, even if you did not intend to. I am Eugenia Dachsire, LawFair's fellow |
| 1:11.0 | in technology policy law. And this is the LawFair podcast October 19, 2023. In July 2021, |
| 1:19.7 | the Chinese government published its regulations on the management of network product security |
| 1:25.2 | vulnerabilities. These roles require researchers to inform the government of all flaws and |
| 1:31.5 | code within 48 hours of their discovery, effectively supporting efforts to stockpile software |
| 1:38.2 | vulnerabilities, which can then be used for offensive cyber operations. My two guests |
| 1:44.5 | recently authored a report on how China manages software vulnerabilities. Dakota Kairi is |
| 1:51.3 | a non-resident fellow at the Atlantic Council's Global China Hub, and a consultant at Krav |
| 1:57.4 | Stamos Group. Kristen Lil-Rozzo is a public sector field CTO at IT security company Sofos. |
| 2:05.9 | We talked about how companies have adjusted to China's new rules, how their system compares |
| 2:11.0 | to the U.S. voluntary approach, and the incentives to collect vulnerabilities for offensive |
| 2:16.5 | operations. It's the LawFair podcast for October 19, China's approach to software vulnerabilities |
| 2:24.0 | reporting. You recently published a report called |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from The Lawfare Institute, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of The Lawfare Institute and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.