It seems to be within 2 days, and they are legally obligated to share the information to them, but it seems that they are obligated to disclose it to Apache before disclosing it to the government, according to machine translation of this : http://www.gov.cn/gongbao/content/2021/content_5641351.htm
Apparently there is no legal requirement for disclosure in the case of a vulnerability in a foreign product at all.
Apparently there is no legal requirement for disclosure in the case of a vulnerability in a foreign product at all.