This is a terrible article. The relevant section in the law is(translated with google translate) The text of the law is here, <a href="http://www.gov.cn/gongbao/content/2021/content_5641351.htm" rel="nofollow">http://www.gov.cn/gongbao/content/2021/content_5641351.htm</a><p>> 发现或者获知所提供网络产品存在安全漏洞后,应当立即采取措施并组织对安全漏洞进行验证,评估安全漏洞的危害程度和影响范围;对属于其上游产品或者组件存在的安全漏洞,应当立即通知相关产品提供者。<p>> After discovering or learning about the security vulnerabilities in the provided network products, they should immediately take measures and organize verification of the security vulnerabilities to assess the degree of harm and impact of the security vulnerabilities; for the security vulnerabilities in their upstream products or components, they should immediately notify the relevant Product provider.<p>> 应当在2日内向工业和信息化部网络安全威胁和漏洞信息共享平台报送相关漏洞信息。报送内容应当包括存在网络产品安全漏洞的产品名称、型号、版本以及漏洞的技术特点、危害和影响范围等。<p>The relevant vulnerability information should be reported to the network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology within 2 days. The content of the submission should include the product name, model, version, and the technical characteristics, harm, and scope of the vulnerability that have security loopholes in network products.<p>The law suggest bugs should be reported to upstream "immediately", and to the government "within 2 days".<p>Alibaba reported the bug to Apache first, and to the government 15 days later. So it is disciplined for not reporting to the government within 2 days.<p>And its report on government announcement is also very misleading.<p>"China’s internet security regulator has disciplined Alibaba Group Holding’s cloud computing services unit for failing to first report to the government a critical vulnerability in Apache’s Log4j software that has alarmed the cybersecurity community, Chinese media reported on Wednesday."<p>The government notice didn't write "failing to first report to the government" It's 未及时向电信主管部门报告(not reported to the government in time).