The federal government has no plans to introduce a vulnerability disclosure program despite a number of security researchers calling for a better way of notifying about significant flaws such as those found in the digital vaccine certificate.
In response to questions on notice from Senate Estimates hearings last year, Services Australia brushed aside concerns about the security of its digital COVID-19 vaccination certificates, while the Digital Transformation Agency confirmed it has no intention to launch a government-wide bug bounty program.
Soon after the digital certificates were launched a number of security researchers said they were “woefully insecure” and were “very easy” to forge in minutes.
Developer Richard Nelson also demonstrated that he was able to produce a fake certificate using a “man-in-the-middle” attack against the Medicare app.
In response to questions on notice, Services Australia confirmed it was aware of this issue, but not concerned about it.
“The Agency is aware of media reports concerning man-in-the-middle cyber attacks via the Medicare Express Plus App, however notes such attacks require significant knowledge and expertise,” the Services Australia answer said.
“The Agency is also aware of a small number of scams relating to vaccination certificates and allegations of fake certificates. We work closely with the relevant authorities to address and manage those threats appropriately.”
Services Australia undertakes full cyber assessments several times a year, and works closely with the Australian Signals Directorate and the Australian Cyber Security Centre to find potential vulnerabilities on its mobile apps, the agency said.
“Contemporary cybersecurity measures are in place across the Agency’s Australian Immunisation Register system to protect data and people’s personal information,” the agency said.
“The Agency is managing the balance of providing consistent security features, appearance and format for vaccination certificates across all channels, while also considering customer experience and accessibility.
“The COVID-19 digital certificate is designed to be quick and simple for people to access digitally when they need it. As the certificate is designed to be digital in nature, the Agency encourages people to keep it secure on their phone or computer and not to share it.”
Mr Nelson, who reported a vulnerability with the digital certificate, has called for a government-wide disclosure program to make this process more effective.
He said that trying to notify Services Australia of the flaw was “really, really hard”.
“When the easy path to getting something fixed is tweeting it out and having journalists run with it, that’s the path people are going to take. It’s one I’d prefer not to do,” Mr Nelson said last year.
“Ultimately I want to report these issues responsibly and use my expertise to help them get fixed and not have to wonder if the person sitting next to me in a restaurant has forged their vaccine certificate or not.”
The Digital Transformation Agency was asked about this potential policy at an Estimates hearing late last year, but in response this year the agency poured cold water on the idea.
In response to the question from a Labor Senator, the Digital Transformation Agency said there was no vulnerability disclosure program in place, and no plans to do so.
Do you know more? Contact James Riley via Email.