PoliticalClaims.au

The claim that the Australian government ignored security best practices with the COVIDSafe app is **substantially accurate**, though it requires important clarification regarding timing and context. **Delayed Response to Vulnerabilities:** Within hours of COVIDSafe's release on April 26, 2020, security researcher Jim Mussared discovered multiple privacy issues in the Android version by 1:19am on April 27 [1].

He detailed these vulnerabilities in a comprehensive report and emailed the Department of Health, Digital Transformation Agency (DTA), Australian Signals Directorate (ASD), and the Australian Cyber Security Centre (ACSC) on April 27-28 [1].

However, Mussared only received a single-line response from the DTA a week later on May 5, and this response came only after media began making inquiries [1].

In comparison, Mussared confirmed that he was able to reach Singapore's team (which developed TraceTogether, the app Australia modeled COVIDSafe on) within hours and had some issues fixed by them [1]. **No Formal Bug Bounty Program:** The government did not establish a formal bug bounty program for COVIDSafe.

According to cybersecurity experts quoted in authoritative sources, "the best practices would be a formal disclosure program and a bug bounty program, and a commitment to getting the bugs fixed" [1].

This represents a significant departure from best practices.

For comparison, the UK government's approach to its NHS COVID-19 app included more structured vulnerability disclosure processes [1]. **Delayed Source Code Publication:** While Australia eventually released source code (app code was published on April 28, 2020), there were significant delays and transparency issues [1].

Cryptographer Dr.

Vanessa Teague noted that "Singapore released app and server code weeks ago" while "Aus & the UK released app code, and no server code, within the last 24 hours" [1].

Critically, Australia only released application code—not the server code where "the server does all the crypto" [1].

The government also failed to publish whitepapers explaining the cryptographic design and security assumptions, unlike Singapore and the UK [1]. **Multiple Vulnerabilities Discovered Over Time:** Researchers identified at least four major vulnerabilities in COVIDSafe that were discovered at different times throughout 2020 [2]: - A bug in how COVIDSafe reads Bluetooth messages on iPhones, causing some encrypted messages to be garbled [2] - CVE-2020-14292: A vulnerability allowing long-term tracking of Android devices [2] - CVE-2020-12856: A flaw affecting Android versions 1.0.17 and earlier, allowing attackers to bond silently with Android phones [2] - A critical concurrency flaw in encryption code (versions 1.0.18 to 1.0.27) where a single Cipher instance was shared across threads without synchronization [2] These were not all discovered simultaneously, but rather identified as researchers examined the code over weeks and months [2]. **Lack of Engagement with Research Community:** The government did not adequately engage with researchers raising concerns.

Dr.

Vanessa Teague and colleagues reported problems with the application, but communication was difficult [1].

The Australian Digital Transformation Agency only published an email address where researchers "could provide feedback" rather than establishing a formal, responsive vulnerability disclosure program [1].