No plans to introduce government bug disclosure program


Denham Sadler
Senior Reporter

The federal government has no plans to introduce a vulnerability disclosure program despite a number of security researchers calling for a better way of notifying about significant flaws such as those found in the digital vaccine certificate.

In response to questions on notice from Senate Estimates hearings last year, Services Australia brushed aside concerns about the security of its digital COVID-19 vaccination certificates, while the Digital Transformation Agency confirmed it has no intention to launch a government-wide bug bounty program.

Soon after the digital certificates were launched a number of security researchers said they were “woefully insecure” and were “very easy” to forge in minutes.

Developer Richard Nelson also demonstrated that he was able to produce a fake certificate using a “man-in-the-middle” attack against the Medicare app.

In response to questions on notice, Services Australia confirmed it was aware of this issue, but not concerned about it.

“The Agency is aware of media reports concerning man-in-the-middle cyber attacks via the Medicare Express Plus App, however notes such attacks require significant knowledge and expertise,” the Services Australia answer said.

“The Agency is also aware of a small number of scams relating to vaccination certificates and allegations of fake certificates. We work closely with the relevant authorities to address and manage those threats appropriately.”

Services Australia undertakes full cyber assessments several times a year, and works closely with the Australian Signals Directorate and the Australian Cyber Security Centre to find potential vulnerabilities on its mobile apps, the agency said.

“Contemporary cybersecurity measures are in place across the Agency’s Australian Immunisation Register system to protect data and people’s personal information,” the agency said.

“The Agency is managing the balance of providing consistent security features, appearance and format for vaccination certificates across all channels, while also considering customer experience and accessibility.

“The COVID-19 digital certificate is designed to be quick and simple for people to access digitally when they need it. As the certificate is designed to be digital in nature, the Agency encourages people to keep it secure on their phone or computer and not to share it.”

Mr Nelson, who reported a vulnerability with the digital certificate, has called for a government-wide disclosure program to make this process more effective.

He said that trying to notify Services Australia of the flaw was “really, really hard”.

“When the easy path to getting something fixed is tweeting it out and having journalists run with it, that’s the path people are going to take. It’s one I’d prefer not to do,” Mr Nelson said last year.

“Ultimately I want to report these issues responsibly and use my expertise to help them get fixed and not have to wonder if the person sitting next to me in a restaurant has forged their vaccine certificate or not.”

The Digital Transformation Agency was asked about this potential policy at an Estimates hearing late last year, but in response this year the agency poured cold water on the idea.

In response to the question from a Labor Senator, the Digital Transformation Agency said there was no vulnerability disclosure program in place, and no plans to do so.

Do you know more? Contact James Riley via Email.

1 Comment
  1. Frank B Collie 3 years ago

    This all sounds very consistent with a government that is self serving rather than serving the general public. Still this should not be much of a surprise that their only focus is the retention of office rather than service of us, the great unwashed.

    If the response that a digital attack on the certificate requires “significant skills” my retort is as follows. I have found the good people at Officeworks are perfectly capable of demonstrating the necessary operation of a colour copier and I can replicate my paper certificate in less than 5 minutes and for $2. I am not so sure that this venerability is either requiring significant skills or resources. This is not a highly sophisticated digital attack and completely achievable by all school kids 5+

    Now that our data sets are being corrupted by self reporting, system failures and false negatives the gross numbers are becoming less useful. Perhaps it would be far more useful to bring the community along with this pandemic and the necessary community response however this requires a political cultural change which is not at all evident in the current infighting, self serving, blame shifting leadership that we have.

    There is a saying that you only get the politicians you deserve so as a public we must have been really bad to deserve this.

Leave a Comment

Related stories