(Long) Dragon Tails – Measuring Dependence on International Vulnerability Research

The talk presents a study on the dependence of critical proprietary and open source software on Chinese vulnerability disclosures and the impact of recent Chinese laws on vulnerability research. The talk also provides recommendations on how to address the 'supply shock' of vulnerabilities from the Chinese research community.

• The talk presents a quantitative analysis on the changing proportion of Chinese based vulnerability disclosures to major software products from a selection of proprietary vendors as well as several major open source packages.
• The analysis considers changes over time in response to the evolving Chinese legal environment, significant divergence from data on the allocations of bug bounty rewards, and noteworthy trends in the type and severity of acknowledged vulnerabilities.
• Recent laws designed to give the Chinese government early access to the community's discoveries and the government's willingness to enforce those laws demand a more thorough accounting.
• The talk addresses implications for infosec as well as the wider policy environment, including selected recommendations on how to address the 'supply shock' of vulnerabilities from the Chinese research community.

The talk uses the example of the log4j vulnerability to illustrate the importance of vulnerability research and the potential impact of bad policy on the ecosystem. A researcher at Alibaba Cloud discovered the vulnerability and reported it directly and privately to Apache, which promptly began patching. However, the researcher later noticed that the vulnerability was being exploited and reported it publicly. This incident highlights the importance of vulnerability research and the need for effective policies to support it.

This talk will present results of a study on the reliance of critical proprietary and open source software on Chinese software vulnerability disclosures. The increasingly difficult environment for Chinese security researchers became acute with the September 2021 passage of a law requiring vulnerabilities also be reported to the MIIT alongside the affected vendor. As yet however, the impact of these restrictions has not been systematically evaluated in public.This talk will present results of a quantitative analysis on the changing proportion of Chinese based vulnerability disclosures to major software products from a selection of proprietary vendors as well as several major open source packages. The analysis considers changes over time in response to the evolving Chinese legal environment, significant divergence from data on the allocations of bug bounty rewards, and noteworthy trends in the type and severity of acknowledged vulnerabilities.Anecdotally, the Chinese research community's prowess is well known, from its bug discovery exploits at the Tianfu Cup to the prominence of enterprise research labs like Qihoo 360. However, recent laws designed to give the Chinese government early access to the community's discoveries—and the government's willingness to enforce those laws even on high-profile corporations as with its recent punishment of Alibaba—demand a more thorough accounting. This talk will address implications for infosec as well as the wider policy environment, including selected recommendations on how to address the 'supply shock' of vulnerabilities from this research community.