Chinese involvement in Sharepoint vulnerability exploitation?

Dr. Sven Herpig was interviewed for the POLITICO Pro Newsletter on Cyberinsights. From the article: 

"Bloomberg reported on Friday that Microsoft is looking into a possible leak in a program it uses to disclose vulnerabilities to cybersecurity companies, and whether this led to the exploitation by Chinese nation-state hacking groups of a major vulnerability in its SharePoint product. The program: Microsoft, through its Active Protections Program, informs accredited cyber firms of vulnerabilities before the general public. For some, it gives a 24-hour head start, and for others, five days. There are rules to join the program, but there is no bar on Chinese firms joining. By Cyber Insights’ count, there are 17 Chinese companies in the program. The problem: Chinese companies are obliged by law to inform the Chinese government of cyber vulnerabilities within two days. Once in the hands of the Chinese government, they could be exploited by state hacking groups."

[...]

"Nuance: Rather than applying a blanket ban on Chinese vendors, one approach Microsoft could take would be to block those companies that take part in a new Chinese vulnerability database (outlined here by the Atlantic Council) that observers say is connected to China’s offensive cyber efforts, said Sven Herpig, cybersecurity policy lead at German think tank Interface. That program is “much more than a database, it’s an entire program” that allows companies that pass over vulnerabilities to “get into the good graces of the Chinese government,” Herpig said."