Notifying vendors first about security flaws is a cybersecurity industry norm, but a new law encourages Chinese companies to first notify the government
That’s a bit… worrying
I think this is a wrong gesture on China’s part. The government should be a secondary entity to the developer entity of software code affected. Apache software’s bug should be known to Apache first, and then anyone else, considering Apache server is used everywhere in the world.
It is a double-edged sword: Where is the Apache Foundation registered and operating? In the United States. The company that found the exploit, Alibaba, is Chinese. Even the department that found it (security team) is located in the offices of Alibaba Cloud, in Singapore. In short, the Chinese government was very close to having a tool to seriously damage the Western technology infrastructure, without the other side ever knowing where exactly they were being hit from. And if it had been the other way around? if that information had reached the Singaporean authorities earlier? we must not forget that it is a very servile government to the United States. Or in the worst case scenario the report was intercepted at the Apache Foundation, remember PRISM? one of their goals is to find potential vulnerabilities and exploit them against “hostile forces” even forcing companies registered on US soil and several beyond their borders to leave “backdoors” in their products/systems without public knowledge.
Fortunately or unfortunately it was reported and announced publicly, without prior knowledge of the respective governments, so neither side gained a considerable advantage in this new field of warfare that is the cyberspace.
In short, the Chinese government was very close to having a tool to seriously damage the Western technology infrastructure, without the other side ever knowing where exactly they were being hit from.
I thought of this later, but there is a significant downside with Apache exploit, and that is multiple FOSS projects around the world that are independent of government stuff. Think of the privacy SaaS. What if OVH data centers, on which Lemmy runs, relies on Apache? Or any of the Fediverse networks?