InfoSecBulletin Cybersecurity for mankind
China proposed a four-tier classification to respond to data security incidents, showing its concern about data leaks and hacking in the country.
The plan is due to increased tensions with the United States and its allies. It follows an incident where a hacker claimed to have gotten a large amount of personal information on one billion Chinese from the Shanghai police.
CVE-2025-25291 & CVE-2025-25292
Attention! GitLab Patched Critical Authentication Bypass Flaws
CVE-2025-20138
Cisco released High Security Alert for IOS XR Software
400+ IPs Exploiting Multiple SSRF Vulnerabilities
NVIDIA has released update for NVIDIA Riva
CVE-2025-24201
Apple fixes 0-day exploited in “extremely sophisticated attack”
Microsoft’s March 2025 updates fix 7 zero-day, 57 flaws
Ballista Botnet infects 6000 Unpatched TP-Link Routers
CVE-2025-24813
Flaw in Apache Tomcat Exposes Servers to RCE
CISA Adds 3 Ivanti Endpoint Manager Bugs to KEV
Ransomware Attacks Set Records in February: New Data Shows
ALSO READ:
5 Islamic banks risk of being frozen out of certain transactions
China’s Ministry of Industry and Information Technology (MIIT) published a detailed draft plan laying out how local governments and companies should assess and respond to incidents.
The plan is seeking public opinions. It suggests a four-tier, color-coded system based on the level of harm to national security, a company’s online and information network, or the functioning of the economy.
Incidents will be considered “especially grave” if they cause losses over 1 billion yuan ($141 million) and affect the personal information of more than 100 million people, or the “sensitive” information of over 10 million people. In these cases, a red warning must be issued.
According to the plan, when there are red or orange warnings, the companies and local regulatory authorities must create a 24-hour work schedule to handle the incident. They also need to inform MIIT of the data breach within ten minutes of it happening, along with other actions.
“If the incident is judged to be grave… it should be immediately reported to the local industry regulatory department, no late reporting, false reporting, concealment or omission of reporting is allowed,” MIIT said.
