The Administrative Provisions on Network Security Vulnerabilities (Draft for Comment) (the "Draft for Comment") drafted by the Ministry of Industry and Information Technology ("MIIT") together with other related departments are released on June 18, 2019 for public consultation. Comments will be accepted by July 18, 2019.
The Draft for Comment clearly states that network product and service providers and network operators shall verify the vulnerabilities on their network products, services or systems immediately after they have detected or been informed of such vulnerabilities, and shall take measures, within 90 days for the network products concerned and within 10 days for the network services or systems concerned, to remove or prevent against the vulnerabilities. In addition, the Draft for Comment notes that within five days after measures have been taken to remove or prevent against the vulnerabilities, the aforesaid providers or operators shall make public what network security vulnerabilities have been identified and what measures need to be taken by users or relevant technical partners to remove or prevent against such vulnerabilities, or notify, by means of customer services or otherwise, all users likely to be affected and relevant technical partners of such vulnerabilities and corresponding measures, and shall offer them necessary technical support and submit information on the vulnerabilities to the MIIT's Network Security Threat Information Sharing Platform.