The exploration，disclosure，transaction，and renovation of Cyber-security vulnerabilities has increasingly become a central issue of Cyber-security governance. As private citizens identify software flaws and vulnerabilities，it is important that there is a legal means to allow them to positively contribute to security without threat of criminal penalization. The “Yuan Wei case” has shown the negative attitude Chinese criminal law has towards private citizens exploring Cyber-security vulnerabilities. Subsection 1 and 2 of Article 285 of Criminal Law outlines improper restrictions to the vulnerability exploration of ethical hackers. However，Article 26 of the Cyber-security Law-which outlines the application and scope of vulnerability exploration-should be used to remodel and improve the mechanisms for vulnerability management. Therefore，we must consider the dynamics，complexity，and openness of cyber security vulnerabilities；grasp the governance of vulnerability exploration；improve the legislative system of vulnerability exploration from the height of national security；perfect the vulnerability database and match the vulnerability rating mechanism；clarify the public-private cooperation framework，and disclosure procedure；authorize whom has access to exploration levels according to standard practices；and further strengthen the cross-border flow response to vulnerabilities.