(Long) Dragon Tails – Measuring Dependence on International Vulnerability Research presented at Black Hat USA 2022

by Trey Herr, Stewart Scott, Frances Gambrill,

Tags: Policy Human Factors

URL : http://i.blackhat.com/USA-22/Wednesday/US-22-Scott-Long-Dragon-Tails.pdf

Summary : This talk will present results of a study on the reliance of critical proprietary and open source software on Chinese software vulnerability disclosures. The increasingly difficult environment for Chinese security researchers became acute with the September 2021 passage of a law requiring vulnerabilities also be reported to the MIIT alongside the affected vendor. As yet however, the impact of these restrictions has not been systematically evaluated in public.This talk will present results of a quantitative analysis on the changing proportion of Chinese based vulnerability disclosures to major software products from a selection of proprietary vendors as well as several major open source packages. The analysis considers changes over time in response to the evolving Chinese legal environment, significant divergence from data on the allocations of bug bounty rewards, and noteworthy trends in the type and severity of acknowledged vulnerabilities.Anecdotally, the Chinese research community's prowess is well known, from its bug discovery exploits at the Tianfu Cup to the prominence of enterprise research labs like Qihoo 360. However, recent laws designed to give the Chinese government early access to the community's discoveries—and the government's willingness to enforce those laws even on high-profile corporations as with its recent punishment of Alibaba—demand a more thorough accounting. This talk will address implications for infosec as well as the wider policy environment, including selected recommendations on how to address the 'supply shock' of vulnerabilities from this research community.