The Claim
“Did not follow cyber security best practice for COVID digital vaccines. They have no effective way to report vulnerabilities, let alone have bug bounties to discourage sale of vulnerabilities to criminals. When the government is eventually made aware of vulnerabilities in their app, they don't respond to or resolve them in a timely way.”
Original Sources Provided
✅ FACTUAL VERIFICATION
Vulnerability in COVID Digital Certificate System
The core facts of the claim are substantially verified. Richard Nelson, a credible security researcher, discovered a significant vulnerability in Australia's Express Plus Medicare COVID-19 digital certificate system in September 2021 [1]. Nelson found it was trivial to make the Medicare app display a valid-looking COVID-19 vaccine certificate through what he describes as a "man-in-the-middle" vulnerability [2]. This finding was widely reported by mainstream media, including the ABC [3].
Lack of Vulnerability Disclosure Program
The claim about the absence of a formal vulnerability disclosure program is confirmed by government statements. During Budget Estimates hearings in late 2021, when grilled by Labor senators about the security vulnerabilities, Services Australia explicitly stated: "There are currently no vulnerability disclosure programs in place nor any future plans to implement such a program for the digital vaccination certificates" [4]. Additionally, the Digital Transformation Agency (DTA) stated it had "no plans to consider establishing bounty programs" [5].
Difficulty Reporting Vulnerabilities
Nelson's personal experience corroborates the second part of the claim. When he discovered the vulnerability, he faced significant challenges in reporting it through proper channels [1]. He attempted multiple reporting pathways:
- Tried calling Services Australia directly but gave up after being placed on hold [1]
- Found the Department of Health had a Vulnerability Disclosure Policy, but Express Plus Medicare fell under Services Australia, not Health [1]
- Reported it via ReportCyber and the Australian Signals Directorate (ASD), but received no response until days later [1]
- Only after publicly tweeting about the vulnerability and being contacted by journalists did Services Australia appear to take action [1]
Response and Remediation Timeliness
The evidence supports criticism of response timeliness. Nelson noted that Services Australia did not reach out to him after he went public via Twitter and media, likely because the issue had become sensitive and the agency wanted to avoid additional press coverage [1]. This demonstrates a reactive rather than proactive approach to vulnerability handling. However, the sources do not provide explicit evidence of extended remediation timelines after the initial reporting or public disclosure.
Missing Context
The claim requires significant additional context:
1. Government Cybersecurity Framework Existed: Services Australia claimed to undertake "full cyber assessments several times a year" and stated it "work[s] closely with the Australian Signals Directorate and Australian Cyber Security Centre on potential vulnerabilities on mobile applications" [4]. This indicates the government did have cybersecurity processes in place, though they were not sufficient for handling researcher reports.
2. Some Agencies Had Vulnerability Disclosure Programs: While Services Australia lacked a VDP, other Australian government agencies had implemented them. The Department of Home Affairs had a Vulnerability Disclosure Program in place [6], and Service NSW operated a bug bounty program through Bugcrowd [7]. This suggests inconsistent implementation across agencies rather than a government-wide policy failure.
3. Severity Assessment: Services Australia characterized the required attack as something that "require[s] significant knowledge and expertise" [4], suggesting they viewed the practical risk as lower than the theoretical vulnerability might suggest. However, this defense is weak—security vulnerabilities should be addressed regardless of attack complexity.
4. Forgeability vs. Tampering: The vulnerability involved making the app display a false certificate (client-side vulnerability) rather than creating counterfeit certificates that would pass backend validation. Nelson's own tweet emphasized the ease of the display vulnerability, but there's limited evidence the underlying registry could be spoofed [3].
5. Timeline of Rollout: The COVID-19 digital certificate was introduced relatively hastily during pandemic conditions (rolled out in mid-2021) [8]. This context doesn't excuse the security shortcomings, but explains some of the pressure to deploy quickly.
Source Credibility Assessment
Original Sources
Richard Nelson (Medium article):
- Credible security researcher with demonstrable expertise; his other Medium articles show deep technical knowledge of government security systems (COVIDSafe analysis, Service NSW driver license reverse engineering) [1]
- Personal account of attempting responsible disclosure; makes genuine effort to follow proper procedures before going public [1]
- Transparent about his frustration and emotional state; acknowledges the difficulty of his position [1]
- Appears motivated by public security, not partisan politics; no evidence of political alignment toward Labor [1]
ZDNet (Campbell Kwan article):
- Mainstream technology news outlet with editorial standards [9]
- Reports on Budget Estimates proceedings, which are documented public records [4]
- Accurately cites the government's own statements; quotes are verifiable [4]
- Campbell Kwan is a regular contributor on government technology issues [9]
- However, the article emphasizes criticism from Labor senators and doesn't deeply explore government rationale or mitigating context
Bias Assessment
Neither source appears primarily motivated by partisan bias, though the ZDNet article gives prominence to Labor senators' criticisms in a federal Budget Estimates context. The sources are factual and verifiable, though they emphasize government failures rather than providing balanced context. This is appropriate for security reporting—the vulnerability was real and the response was inadequate—but the framing is inherently critical rather than neutral.
Labor Comparison
Did Labor have significant cybersecurity issues with digital health systems?
Search conducted: "Labor government Australian digital health system cybersecurity privacy breach MyHealth Records"
Labor's handling of the My Health Record system shows relevant precedent. The My Health Record was introduced by the Labor government in 2012 and became highly controversial [10]. The system faced significant privacy concerns, leading Labor itself to call for a suspension of the rollout when the Coalition expanded it [11]. The Privacy Commissioner raised concerns, and there was substantial public backlash [10]. While this represents a broader policy failure (flawed design from the start) rather than a cybersecurity vulnerability disclosure issue specifically, it demonstrates that Labor governments have also struggled with digital health system security and public trust in similar areas.
Comparable Cybersecurity Incident: There is no evidence of Labor government digital health systems facing similar cybersecurity vulnerability disclosure policy gaps during their period in government (2007-2013). However, the broader theme of inadequate digital security governance appears to be a systemic Australian government issue across parties rather than unique to the Coalition.
Balanced Perspective
Government's Position:
Services Australia maintained that the COVID-19 digital certificate system included multiple security layers and that the vulnerability discovered required "significant knowledge and expertise" to exploit [4]. The agency emphasized it was cooperating with the Australian Signals Directorate and conducting regular cyber assessments [4]. The government's perspective was that while the vulnerability should be addressed, it was not a critical failure requiring immediate overhaul of the entire system.
Security Expert Perspective:
Richard Nelson's position is well-reasoned from a security governance standpoint: even if a vulnerability requires expertise to exploit, proper channels for responsible disclosure should exist. He argues this is standard industry practice and that the absence of such channels is what forced him to make the issue public [1]. This is a legitimate concern about institutional security maturity, not just about the existence of any single vulnerability.
Systemic Issue vs. Malicious Intent:
The evidence suggests this was primarily a systemic governance failure (lack of formal processes) rather than negligence or malicious intent. Services Australia demonstrated awareness of security concerns and was conducting assessments [4]. The failure was in not having established, well-publicized, responsive channels for researchers to report vulnerabilities—a process issue rather than a technical issue.
Industry Practice Context:
Vulnerability disclosure programs (VDPs) and bug bounties have become industry standard practice across major tech companies and, increasingly, government agencies. The ASD and Cyber.gov.au have published guidance on implementing VDPs [12]. By 2021, the absence of a formal VDP for a public-facing COVID safety system was notably behind current best practices, though it wasn't unique to Australia or the Coalition government at that time.
Key context: The vulnerability disclosure issue is genuinely problematic and represents a failure to follow established cybersecurity best practices. However, it's not clear this was unique to the Coalition's COVID response or that Labor governments would necessarily have handled it differently—the My Health Record case shows digital health system governance has been challenging across parties.
PARTIALLY TRUE
6.0
out of 10
The specific factual claims about Services Australia's lack of a vulnerability disclosure program and the difficulty in reporting vulnerabilities are accurate and verified. However, the broader claim requires qualification:
- ✅ TRUE: Services Australia had no vulnerability disclosure program and explicitly stated no plans to implement one [4]
- ✅ TRUE: Reporting vulnerabilities was unnecessarily difficult and no effective process existed [1]
- ✅ TRUE: Response was slow and only accelerated after public disclosure [1]
- ⚠️ PARTIALLY TRUE: Claims about "not following cybersecurity best practice" are valid, but government was conducting cyber assessments and working with ASD; the failure was specifically in public vulnerability disclosure processes, not all cybersecurity practices [4]
- ⚠️ MISLEADING FRAMING: The claim's implication that this was uniquely egregious Coalition-era mismanagement is not well-supported. Labor government digital health projects (My Health Record) faced similar governance and security trust issues [10, 11]
- ⚠️ CONTEXT MISSING: During pandemic conditions in 2021, rapid deployment of public health infrastructure sometimes competed with security maturity; this doesn't excuse the failure but provides context
The verdict is that the core facts are sound, the criticism is legitimate, but the framing overstates uniqueness or severity without acknowledging comparable issues in Labor's digital health governance.
Final Score
6.0
OUT OF 10
PARTIALLY TRUE
The specific factual claims about Services Australia's lack of a vulnerability disclosure program and the difficulty in reporting vulnerabilities are accurate and verified. However, the broader claim requires qualification:
- ✅ TRUE: Services Australia had no vulnerability disclosure program and explicitly stated no plans to implement one [4]
- ✅ TRUE: Reporting vulnerabilities was unnecessarily difficult and no effective process existed [1]
- ✅ TRUE: Response was slow and only accelerated after public disclosure [1]
- ⚠️ PARTIALLY TRUE: Claims about "not following cybersecurity best practice" are valid, but government was conducting cyber assessments and working with ASD; the failure was specifically in public vulnerability disclosure processes, not all cybersecurity practices [4]
- ⚠️ MISLEADING FRAMING: The claim's implication that this was uniquely egregious Coalition-era mismanagement is not well-supported. Labor government digital health projects (My Health Record) faced similar governance and security trust issues [10, 11]
- ⚠️ CONTEXT MISSING: During pandemic conditions in 2021, rapid deployment of public health infrastructure sometimes competed with security maturity; this doesn't excuse the failure but provides context
The verdict is that the core facts are sound, the criticism is legitimate, but the framing overstates uniqueness or severity without acknowledging comparable issues in Labor's digital health governance.
📚 SOURCES & CITATIONS (11)
-
1
The need for an Australian Government Vulnerability Disclosure Policy - Richard Nelson, Medium
Recently, I found a weakness in the Express Plus Medicare application’s COVID-19 digital certificate:
Medium -
2
COVID-19 vaccination certificates at risk of forgery after discovery of - ABC News
The federal government's COVID-19 vaccine certificate can be forged using a widely known technique to bypass the protections, a member of the public has found.
Abc Net -
3
Services Australia brushes off vulnerability concerns in COVID-19 digital certificates - ZDNet, Campbell Kwan
There are no vulnerability disclosure programs in place nor any future plans to implement such a thing for Australia's COVID-19 digital certificate.
ZDNET -
4
Vulnerability Disclosure Program - Department of Home Affairs
Home Affairs brings together Australia's federal law enforcement, national and transport security, criminal justice, emergency management, multicultural affairs, settlement services and immigration and border-related functions, working together to keep Australia safe.
Department of Home Affairs Website -
5
Service NSW Vulnerability Disclosure Program via Bugcrowd
Learn more about Service NSW’s Vulnerability Disclosure engagement powered by Bugcrowd, the leader in crowdsourced security solutions.
Bugcrowd -
6
Service NSW official page
Service NSW welcomes vulnerability reports that help us to provide safe and secure services to our customers.
Service NSW -
7
ZDNet Editorial Standards and contributor information
Discover ZDNET's editorial mission, how we evaluate products and our commitment to transparency about our business practices.
ZDNET -
8
Privacy concerns of the Australian My Health Record: Implications for patient autonomy and consent - Science Direct
Sciencedirect
-
9
My Health Record: privacy concern sparks calls from Labor to suspend rollout - Daily Telegraph
Dailytelegraph Com
-
10
Vulnerability Disclosure Programs explained - Cyber.gov.au
Cyber Gov
-
11
ASD Responsible Release Principles
Asd Gov
Rating Scale Methodology
1-3: FALSE
Factually incorrect or malicious fabrication.
4-6: PARTIAL
Some truth but context is missing or skewed.
7-9: MOSTLY TRUE
Minor technicalities or phrasing issues.
10: ACCURATE
Perfectly verified and contextually fair.
Methodology: Ratings are determined through cross-referencing official government records, independent fact-checking organizations, and primary source documents.