Penalty for Alibaba Cloud for not first reporting the 'Apache Log4j' vulnerability to the Chinese government



A penalty for the Alibaba Cloud security team that discovered the zero-day vulnerability 'Log4Shell' in the Java library Apache Log4j and reported it to Apache because the Chinese government 'did not report it to the government first'. I found out that I imposed.

Apache Log4j bug: China's industry ministry pulls support from Alibaba Cloud for not reporting flaws to government first | South China Morning Post

China regulator suspends cyber security deal with Alibaba Cloud | Reuters

China suspends deal with Alibaba for not sharing Log4j 0-day first with the government

According to reports such as the South China Morning Post, a daily newspaper owned by Alibaba Group, one of the world's largest retail and e-commerce companies, the Chinese government did not first report a serious vulnerability regarding 'Apache Log 4j' to the government. As a result, Alibaba Cloud, the cloud computing division of Alibaba Group, and the Industrial Informatization Department have taken measures to suspend transactions for six months.

Losing the backing of the Ministry of Industry and Information Technology is expected to have an impact on Alibaba Cloud's business, but it is unclear how much it will cost.

If you find a security problem, it is customary in the cyber security industry to report it to the vendor first, and it is natural for Alibaba Cloud to report to Apache, but in China it is new. The law encourages you to report any problems to the Chinese government first.

in Security, Posted by logc_nt