Guided reading
In order to standardize the filing management of network product security vulnerability collection platforms, the Ministry of Industry and Information Technology recently issued the “Administrative Measures for the Filing of Network Product Security Vulnerability Collection Platforms”. The “Network Product Security Vulnerability Collection Platform” as mentioned in the Measures refers to a public Internet platform established by relevant organizations or individuals to collect non-self-owned network product security vulnerabilities, except for the purpose of patching their own network product, network and system security vulnerabilities. The “Measures” stipulate that the filing of the vulnerability collection platform shall be carried out through the Internet Security Threat and Vulnerability Information Sharing Platform of the Ministry of Industry and Information Technology, and shall be conducted through the online filing method. Organizations or individuals that intend to establish a vulnerability collection platform shall truthfully fill in the registration information of the network product security vulnerability collection platform through the Ministry of Industry and Information Technology’s network security threat and vulnerability information sharing platform. These measures shall come into force on January 1, 2023.
Notice on Issuing the “Administrative Measures for the Filing of Network Product Security Vulnerability Collection Platforms”
Ministry of Industry and Information Technology Network Security [2022] No. 146
The competent departments of industry and informatization of all provinces, autonomous regions, municipalities directly under the Central Government and Xinjiang Production and Construction Corps, the communications administrations of all provinces, autonomous regions, and municipalities directly under the Central Government, and the operating units of relevant network product security vulnerability collection platforms:
The “Administrative Measures for the Filing of Network Product Security Vulnerability Collection Platforms” are hereby issued to you, please follow them carefully.
Ministry of Industry and Information Technology
October 25, 2022
Administrative Measures for the Filing of Network Product Security Vulnerability Collection Platforms
Article 1 In order to standardize the filing management of network product security vulnerability collection platforms, these Measures are formulated in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, and the Provisions on the Management of Network Product Security Vulnerabilities.
Article 2 These Measures shall apply to the filing management of network product security vulnerability collection platforms within the territory of the People’s Republic of China.
The network product security vulnerability collection platform (hereinafter referred to as the “vulnerability collection platform”) as mentioned in these Measures refers to the public Internet platform established by relevant organizations or individuals to collect security vulnerabilities of non-own network products, which is only used to repair their own network products, network and system security. Except for vulnerability use.
Article 3 The filing of the vulnerability collection platform is carried out through the network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology, and the online filing method is adopted.
Article 4 Organizations or individuals that intend to establish a vulnerability collection platform shall truthfully fill in the registration information of the network product security vulnerability collection platform through the Ministry of Industry and Information Technology’s network security threat and vulnerability information sharing platform, mainly including:
(1) The name, homepage URL, and Internet Information Service (ICP) license or record number of the vulnerability collection platform, relevant URLs for publishing vulnerability information, social software official accounts, and other Internet publishing channels;
(2) The name or name and certificate number of the organizer or the organizer, as well as the name and contact information of the main person in charge of the vulnerability collection platform and the contact person;
(3) The scope and method of vulnerability collection, vulnerability verification and assessment rules, rules for notifying relevant responsible entities to patch vulnerabilities, rules for vulnerability release, rules for verification of registered users’ identity, and rules for classification and grading management, etc.;
(4) The relevant materials for the filing of network security grade protection obtained through the communication network security protection management system of the Ministry of Industry and Information Technology;
(5) Implementing platform management according to relevant national standards and industry standards;
(6) Other information that needs to be explained as required by the competent department.
Article 5 After the Ministry of Industry and Information Technology receives the filing information submitted by the vulnerability collection platform, if the filled-in information is complete and meets the statutory requirements, it shall file the filing within 10 working days, issue a filing number to it, and notify the public security of the filing information. Ministry of Industry and Information Technology and the State Internet Information Office, and publish relevant filing information to the public through the Ministry of Industry and Information Technology’s network security threat and vulnerability information sharing platform.
Organizations or individuals that intend to establish a vulnerability collection platform shall be responsible for the authenticity of the information filled in. If the filing information is found to be untrue or incomplete, the Ministry of Industry and Information Technology will notify the vulnerability collection platform to make corrections within 10 working days.
A vulnerability collection platform that has completed the filing shall indicate its filing number at the bottom of the homepage of its website.
Article 6 If the filing information changes, the filing change procedures shall be performed through the Ministry of Industry and Information Technology’s Network Security Threat and Vulnerability Information Sharing Platform within 30 days from the date of the information change.
Article 7 Those who no longer engage in the vulnerability collection business shall go through the registration and cancellation procedures through the Ministry of Industry and Information Technology’s Network Security Threat and Vulnerability Information Sharing Platform on the date of termination of the business.
Article 8 The vulnerability collection platform shall complete the filing before going online, and the online vulnerability collection platform shall be filed within 10 working days from the date of implementation of these measures.
Article 9 The Ministry of Industry and Information Technology shall set up a reporting channel, and the public can report the suspected violation of laws and regulations of the vulnerability collection platform through the telephone, email, etc. of the network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology. If verified, the vulnerability collection platform will be dealt with in accordance with laws and regulations.
Article 10 These Measures shall come into force on January 1, 2023.
Source: Cyber Security Administration of the Ministry of Industry and Information Technology