So nice of China to put all of its network zero-day vulns in one giant database no one will think to break into

The DB kept privately is no worse than the public cve dB shirly? I guess stuff responsibly disclosed but without a cve is at risk. however...

Generally I trust the intention. Google's Project Zero does not disclose anything until Google itself has a patch, so they get an advantage out of the bugs they find. Even if that patch takes them months to develop they sit on it until they have a fix. A staunch capitalist will says that's OK and that is what drives Google to find bugs and we should be grateful when they drop the bug and the exploit on the rest of the world.

Not everyone is a staunch capitalist. I believe Google is above the size of a government and should behave accordingly.

I'd also be surprised if Project Zero does not interact directly with the Nsa in the same manner, and the nsa let them keep the wraps on bugs. We know NSA keeps a DB of vulns. Not sure the Nsa as they stand are trustworthy enough. But I think the same idea in other countries makes just as much sense.

Defo can we have this one in the west please...

Folks are not allowed to "deliberately exaggerate the hazards and risks" of a bug.

Missing the Point

Anyone talking about China hoarding foreign vendor exploits is missing the point. This is about picking and choosing which bugs are publicly reported and patched by Chinese vendors, and which ones the government sits on. Even if it's not the intent, it's how it will shortly be used because it's the perfect tool for it.

A year ago China was saying it's racist paranoia to not trust them with all of our telecom infrastructure and that they would never do anything sketchy to exploit that. Today we discover that anyone who did so has China holding a veto on their network security along with the heist blueprints to exploit the hole they're vetoing a patch for. That's what you should be worried about.

Re: Why would it be a target for breakins?

According to a more complete translation: "the submission [to the central database(*)] should include the product name, model, version, and the technical characteristics, harm, and scope of the vulnerability that have security loopholes in network products."

So - depending precisely what 'technical characteristics' comes to mean - possibly quite vague, but if you have a bunch of these reports a good fraction will still signpost a skilled researcher to a vulnerability very quickly. Searching for a needle in a haystack is the most tedious part of this work, and if you know there's a needle near the bottom of this particular haystack it gets a whole lot easier.

(*) 'Ministry of Industry and Information Technology’s cyber security threat and vulnerability information sharing platform'

Also: "The network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology simultaneously reports relevant vulnerability information to the National Network and Information Security Information Notification Center and the National Computer Network Emergency Technology Coordination Center."

So there'll be at least three copies of 0-day database. It sounds semi-public already to be honest.

Re: Easy way to

explicitly not weaponized. bugs minus exploits.

It's exploitable bugs but, let's be honest, you are going to have to weaponize it yourself.

Shellshock was a corker, not because it was any more or less of a remote exec than other bugs but because it was trivial to exploit.

Re: Database vulnerability

The requirement to submit the bugs within 2 days implies that it is either FAX or more likely electronic. Even if the machine receiving the submissions on is airgapped from the real database, the receiving machine will still contain the recent data that was submitted and have visibility of the requests coming in. Now you may be able to mitigate that by using public key encryption, but even just knowing the source of the message would help an attacker target investigations on that particular companies haystack.

Re: Interesting Article 7

"It potentially gives Beijing from that 2 days until a patch is released to do exploits."

My first thought was that that's a pretty reasonable point. Followed by -- but 2 days doesn't seem like a lot of time for a government to isolate a defect, code, debug, test, and use an exploit. Why not give themselves a week or two weeks?

Then, about an hour later the light dawned. There doesn't seem to be any indication I can see that this government data base will be accessible outside the government. Two days possibly is important but for exactly the opposite reason. It looks to maximize the amount of time Chinese intelligence has to isolate and exploit weaknesses before they are patched.

Re: Do they have

Oh, bother!

Re: Do they have

If I remember correctly, he was investigated by local plod. The situation changed when the government got involved.

You wouldn't would blame Obama for white cops killing black youth on his watch.

PRC is a wide term that involves the poor lad himself. Implying the government of the PRC is disengenious, in this case, and you get your downvote for dishonesty.

Re: Challenge accepted!

The U.S. Department of State’s Rewards for Justice (RFJ) program, which is administered by the Diplomatic Security Service, is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). .... https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-foreign-malicious-cyber-activity-against-u-s-critical-infrastructure/

That is blatantly discriminatory, excluding as it so clearly does from bounty, all free acting spirits/renegade rogue private pirate agents outside of the command and control of foreign governments ..... and quite why the U.S. Department of State’s Rewards for Justice (RFJ) program, which is administered by the Diplomatic Security Service would hogtie themselves to do battle in malicious cyber activities against U.S. critical infrastructure with the caveat ....... in violation of the Computer Fraud and Abuse Act (CFAA) ....... is something to ponder is totally unnecessary and very unAmerican.

It has one thinking that Uncle Sam [although he is definitely not alone in his current particular situation on the field] really doesn't yet get the truly extremely disruptive nature of the virtual activities which abound to astound all around ...... and that is one massive serial blackhole of a catastrophic vulnerability to ruthlessly and relentlessly exploit and export and expand upon/further develop and improve upon/increasingly reinforce with failsafe security measures ..... to effortlessly guarantee and provide future sovereign like immunity and impunity for Novel Worthy ACTivities in the Highly Contested and Immensely Valuable Fields of Proprietary Intellectual Property Endeavour and COSMIC [Control Of Secret Materiel in an Internetional Command] Discovery, to name but one beneficiary of the status quo position.

Re: Challenge accepted!

You would want to spend that dosh very quickly after being put on the hit list of certain departments you just dobbed in.