> Notifying vendors first about security flaws is a cybersecurity industry norm, but a new law encourages Chinese companies to first notify the government
It was already discussed yesterday[1] that there's nothing in the new law (full text at [2]) that "encourages Chinese companies to first notify the government", so that article is already misleading, without further details.
This NYTimes reporter only added inflammatory spins like "right of first refusal", "researchers went rogue" that are nowhere to be found in the linked article.
There is nothing misleading or inflammatory