I was about to say how great I think that law is, but then I checked the link you provided...
> anything discovered in the country must now be reported to the CCP *and to no one else* (in most cases).
The "no one else" part is terrible and completely changes the story. However, I do generally support a "tell the government about discovered vulnerabilities" law. Ideally, the government would then inform affected users and investigate whether the vuln could be considered negligence and the company prosecuted.
I've been in a few situations where I reported very easily exploitable vulns that leaked sensitive user data and in all cases, I couldn't for the life of me convince the companies to disclose the leak. Yes, I could've gone public myself where I didn't have a contract, but I would've 100% ended up in jail for some poorly defined crime of "hacking".
> anything discovered in the country must now be reported to the CCP *and to no one else* (in most cases).
The "no one else" part is terrible and completely changes the story. However, I do generally support a "tell the government about discovered vulnerabilities" law. Ideally, the government would then inform affected users and investigate whether the vuln could be considered negligence and the company prosecuted.
I've been in a few situations where I reported very easily exploitable vulns that leaked sensitive user data and in all cases, I couldn't for the life of me convince the companies to disclose the leak. Yes, I could've gone public myself where I didn't have a contract, but I would've 100% ended up in jail for some poorly defined crime of "hacking".