Alibaba, a Chinese tech giant, has reportedly been criticized by China’s top tech regulator for failing to report the infamous Log4j vulnerability quick enough. The firm’s Alibaba Cloud business did not report the flaw to the Ministry of Industry and Information Technology (MIIT) in a timely manner as required by Provisions on Security Loopholes of Network Products, a protocol enacted by China as of September. The protocol mandates that vulnerabilities are reported immediately to the manufacturer and within two days to Chinese authorities. Due to the lack of timely reporting, Alibaba Cloud has been suspended from MIIT’s threat information sharing platform for six months.
Chen Zhaojun, a researcher at Alibaba Cloud, is credited with finding the first bug in the popular logging utility called “Log4Shell.” The vulnerability was given a CVSS severity score of 10, the highest rating allotted by the system. The utility is near-ubiquitous in enterprises, can be hard to find, and is easy to exploit, according to researchers. Although Chen reportedly notified Apache on November 21, MIIT only became aware of it on December 9.
