| This is the law that is mentioned in the article, as a link says that this is application of the MIIT ruling that came into effect September 1st: http://www.gov.cn/gongbao/content/2021/content_5641351.htm Here is a machine translation of the relevant section that seems to agree with the GP: >Article 7 Network product providers shall perform the following network product security vulnerabilities management obligations, ensure that their product security vulnerabilities are repaired in a timely manner and reasonably released, and guide and support product users to take preventive measures: >(1) After discovering or learning about the security vulnerabilities in the provided network products, they should immediately take measures and organize verification of the security vulnerabilities to assess the degree of harm and the scope of the security vulnerabilities; for the security vulnerabilities in their upstream products or components, they should Notify the relevant product provider immediately. >(2) The relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within 2 days. The content of the submission shall include the product name, model, version, and the technical characteristics, harm, and scope of the vulnerability that have security loopholes in network products. >(3) Remediation of network product security vulnerabilities should be organized in a timely manner. For product users (including downstream manufacturers) that need to take measures such as software and firmware upgrades, network product security vulnerabilities and repair methods should be promptly informed of the product users who may be affected , And provide the necessary technical support. |