China and Vulnerability Research

Some Thoughts

For the last few years Chinese vulnerability research teams have dominated the exploit competitions around the world. As I wrote before, this is because the major Chinese technology companies are in a battle for cybersecurity mindshare in the Chinese market. They use the CVE assignments, exploit competition wins and recognition from major software vendors as demonstrations of their expertise in cyber security. It is roughly like Bugtraq in the 1990s.

To encourage their teams to enter and win exploit contests the companies have various incentive structures, for example the team members keep the winnings and some companies even pay bonuses for winning entries. These are dream jobs for many hackers: full time research; high salary; big bonuses; international travel, and recognition.

The companies also get value for their investment, their marketing departments are able to exploit the international recognition to full effect. There is a clear win-win relationship between the vulnerability research teams and the companies. So far, so good.

This year there was a change. Security forces informed the major companies involved in international exploit competitions that the rules for vulnerability handling has changed: no third parties, only direct to the vendor. For someone who is not familiar with how a context-rich society works, this may sound like an opportunity for language lawyering and quibbling about the definition of third party. This line of thinking is misguided, at best.

First one must realise that this is not a new law, but rather a policy change issued by the police. That means the police are responsible for interpreting whether an action is in violation of the policy. Fundamentally, that means “obey the intent of the new policy” because there is no “letter of the law” to follow. For Westeners this may seem confusing, but it is critical to understand that the wording of the policy is less important than the intent of the officials who issued it.

Which brings up the far more interesting question: what is the intent of this new policy? It is important to know whether this is a temporary measure because officials have decided that right now is particularly sensitive and they don’t want the attention. Or, whether this is a permanent policy change and will remain in place for a long period of time.

If this is temporary (say, a year or less), then the effects will likely be minimal. Companies and researchers will simply wait it out and emerge with even more exploits to show off. However, if this is a permanent change then the implications are extremely interesting. For the sake of argument, lets assume that this is a long term policy. What does that mean for the Chinese cyber security community?

Assuming the restriction is long lasting the first order effects will impact both the companies and the researchers. The companies will lose a substantial marketing vector and maintaining huge research teams will be a financial drain with little in the way of ROI. Reducing the size of their vulnerability research teams will make sound financial sense. The researchers will also lose out on a lot of major perks: international travel and recognition, plus a substantial portion of their take home pay.

Remaining as a researcher at a company that cannot participate in exploit competitions is a lot less attractive than alternatives. Working at a small national security cyber defense company will provide the same full time research work, be patriotic, and offer significantly more lucrative income.

Therefore, if the policy change is long term, the effects will be to incentivize the trained and motivated vulnerability research teams to leave their existing roles and become part of the natsec fabric. Simultaneously, the companies employing these huge teams will be incentivized to reduce the size of the research units to bring them inline with the ROI of “11pt Arial font” marketing.

So, either this is just a temporary change and the Chinese teams will be dominating pwn2own again in no time, or this is an extremely clever social engineering maneuver to grow China’s indigenous offensive cyber security capacity. Time will tell.


There is a good way to detect what impact the policy change is having on the Chinese research teams, because their output is directly available in security vulnerabilities from major vendors. There will be a lag as the old reported vulnerabilities are cleared away, but if the volume of Chinese teams in the acknowledgements of Microsoft, Android and Apple security advisories drops, then the outside observer can measure the impact. That’s the metric to watch now, the acknowledgements in security updates.