An Alibaba engineer found the world-threatening software vulnerability related to Log4j, but instead of getting rewarded, the company was disciplined by the Chinese regulator for not telling authorities soon enough. China’s Ministry of Industry and Information Technology decided to suspend a cybersecurity partnership with Alibaba Cloud for six months, the Chinese publication 21st Century Business Herald reported Wednesday.
According to Bloomberg, an Alibaba cloud security engineer named Chen Zhaojun was the first person to find and report a significant flaw in the open-source software tool Log4j that’s widely used by companies worldwide. Chen notified Apache, the nonprofit foundation maintaining the software tool, on Nov. 24. But MIIT, China’s top tech regulator, only became aware of the flaw 15 days later on Dec. 9 through a cybersecurity report, likely not submitted by Alibaba.
A recent Chinese regulation named “Provisions on Security Loopholes of Network Products” went in effect in September. The provisions required that any Chinese company report the vulnerabilities it found to product providers immediately and to a Chinese loophole information sharing platform within two days.
Climate TRACE's data show emissions at the facility-level.Image: Climate TRACE