The need for an Australian Government Vulnerability Disclosure Policy

Recently, I found a weakness in the Express Plus Medicare application’s COVID-19 digital certificate:

It was widely reported on, but I’d like to discuss my thoughts on this because I still feel conflicted and my hope is that by sharing my thoughts, the process might be made better.

This is just one story. I’ve had good experiences reporting issues, and experiences that were much more opaque. There are many government departments building tech, and I’m sure they all differ.

After I discovered how trivial it was to convince the medicare app to display a valid-looking COVID-19 vaccine certificate, I wanted to get in touch with Services Australia (the Express Plus Medicare app falls under them) and discuss. This was really, really hard. There’s a generic feedback form, and some general phone numbers. I tried calling one but gave up after being on hold for some time. I found that the Department of Health actually has a VDP, but this app doesn’t fall under them. I did report it there in the hopes that someone might forward it on, but did not get a response until days later. I also eventually reported it via ReportCyber and ASD did forward it on to Services Australia, and never heard back.

So I tweeted it out. I put effort into not disclosing details on how I did it, but I did want to show how trivial it was. Within minutes, journalists were getting in touch, trying to understand what was going on and verifying what I had done. At this point, my exhaustion on the failure of politicians and the DTA to listen to any experts at all on the COVIDSafe app had really got me to the point where while I wanted to be responsible about it, I was more than happy to talk to journalists in the hope that it would get enough attention for it to be fixed.

I strongly suspect that in talking to journalists, Services Australia figure the risk is too high to get in touch with me as the issue has presumably become a sensitive one, and I’m sure they don’t want more press. This isn’t difficult though — if they reached out in good faith, discussed the issues and asked me to keep a discussion confidential, I would.

More importantly, it highlights the need for a broad government VDP. When the easy path to getting something fixed is tweeting it out and having journalists run with it, that’s the path people are going to take. It’s one I’d prefer not to do. It’s stressful, I’m never quite sure what angles journalists may run with (though my experiences have been very positive, and not the kind that require media training). Ultimately I want to report these issues responsibly and use my expertise to help them get fixed (for free) and not have to wonder if the person sitting next to me in a restaurant has forged their vaccine cert or not.

As the government builds more tech, private citizens are getting more and more interested in it. I’m sure the community response to COVIDSafe was far larger than anyone would have guessed. However, the government doesn’t need to be embarrassed by mistakes. Every software vendor has security problems eventually, infosec is not getting easier. A good VDP and program builds huge amounts of trust within the community, even if there’s no monetary/bounty payout.

If this was as easy as going to bugcrowd (not having to navigate different government departments websites), submitting details confidentially and knowing I’d get a response (even if just through bugcrowd triage), it would be a much safer and easier option for all. And I’d feel good about it.