Original link: https://www.williamlong.info/archives/6975.html
According to the website of the Ministry of Industry and Information Technology, the Ministry of Industry and Information Technology has issued a notice on the issuance of the “Administrative Measures for the Filing of Network Product Security Vulnerability Collection Platforms”. Vulnerability collection platforms should complete the filing before going online, and the online vulnerability collection platforms should be filed within 10 working days from the date of implementation of the Measures. The “Measures” will come into force on January 1, 2023.
The Measures clarifies that the “network product security vulnerability collection platform” (hereinafter referred to as the “vulnerability collection platform”) refers to the public Internet platform established by relevant organizations or individuals to collect security vulnerabilities of non-own network products, which is only used to repair their own network products, network products, and network products. Except for the purpose of system security vulnerability.
The “Measures” pointed out that the filing of the vulnerability collection platform is carried out through the network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology, and the online filing method is used. Organizations or individuals that intend to establish a vulnerability collection platform shall truthfully fill in the registration information of the network product security vulnerability collection platform through the Ministry of Industry and Information Technology’s network security threat and vulnerability information sharing platform.
The following is the full text of the Measures:
Administrative Measures for the Filing of Network Product Security Vulnerability Collection Platforms
Article 1 In order to standardize the filing management of network product security vulnerability collection platforms, these Measures are formulated in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, and the Provisions on the Management of Network Product Security Vulnerabilities.
Article 2 These Measures shall apply to the filing management of network product security vulnerability collection platforms within the territory of the People’s Republic of China.
The network product security vulnerability collection platform (hereinafter referred to as the “vulnerability collection platform”) as mentioned in these Measures refers to the public Internet platform established by relevant organizations or individuals to collect security vulnerabilities of non-own network products, which is only used to repair their own network products, network and system security. Except for vulnerability use.
Article 3 The filing of the vulnerability collection platform is carried out through the network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology, and the online filing method is adopted.
Article 4 Organizations or individuals that intend to establish a vulnerability collection platform shall truthfully fill in the registration information of the network product security vulnerability collection platform through the Ministry of Industry and Information Technology’s network security threat and vulnerability information sharing platform, mainly including:
(1) The name, homepage URL, and Internet Information Service (ICP) license or record number of the vulnerability collection platform, relevant URLs for publishing vulnerability information, social software official accounts, and other Internet publishing channels;
(2) The name or name and certificate number of the organizer or the organizer, as well as the name and contact information of the main person in charge of the vulnerability collection platform and the contact person;
(3) The scope and method of vulnerability collection, vulnerability verification and assessment rules, rules for notifying relevant responsible entities to patch vulnerabilities, rules for vulnerability release, rules for verification of registered users’ identity, and rules for classification and grading management, etc.;
(4) The relevant materials for the filing of network security grade protection obtained through the communication network security protection management system of the Ministry of Industry and Information Technology;
(5) Implementing platform management according to relevant national standards and industry standards;
(6) Other information that needs to be explained as required by the competent department.
Article 5 After the Ministry of Industry and Information Technology receives the filing information submitted by the vulnerability collection platform, if the filled-in information is complete and meets the statutory requirements, it shall file the filing within 10 working days, issue a filing number to it, and notify the public security of the filing information. Ministry of Industry and Information Technology and the State Internet Information Office, and publish relevant filing information to the public through the Ministry of Industry and Information Technology’s network security threat and vulnerability information sharing platform.
Organizations or individuals that intend to establish a vulnerability collection platform shall be responsible for the authenticity of the information filled in. If the filing information is found to be untrue or incomplete, the Ministry of Industry and Information Technology will notify the vulnerability collection platform to make corrections within 10 working days.
A vulnerability collection platform that has completed the filing shall indicate its filing number at the bottom of the homepage of its website.
Article 6 If the filing information changes, the filing change procedures shall be performed through the Ministry of Industry and Information Technology’s Network Security Threat and Vulnerability Information Sharing Platform within 30 days from the date of the information change.
Article 7 Those who no longer engage in the vulnerability collection business shall go through the registration and cancellation procedures through the Ministry of Industry and Information Technology’s Network Security Threat and Vulnerability Information Sharing Platform on the date of termination of the business.
Article 8 The vulnerability collection platform shall complete the filing before going online, and the online vulnerability collection platform shall be filed within 10 working days from the date of implementation of these measures.
Article 9 The Ministry of Industry and Information Technology shall set up a reporting channel, and the public can report the suspected violation of laws and regulations of the vulnerability collection platform through the telephone, email, etc. of the network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology. If verified, the vulnerability collection platform will be dealt with in accordance with laws and regulations.
Article 10 These Measures shall come into force on January 1, 2023.
This article is reprinted from: https://www.williamlong.info/archives/6975.html
This site is for inclusion only, and the copyright belongs to the original author.