部分属实

评分: 6.0/10

报告问题
Coalition
C0192

声明内容

“用了21天时间修复COVIDSafe应用程序中的一个已知安全漏洞。”
新冠疫情 网络安全 科技
原始来源: Matthew Davis

原始来源

事实核查

核心hé xīn hé xīn 说法shuō fǎ shuō fǎ 包含bāo hán bāo hán le le 一个yí gè yí gè 事实shì shí shì shí 准确zhǔn què zhǔn què de de 时间shí jiān shí jiān 线xiàn xiàn 尽管jǐn guǎn jǐn guǎn 引用yǐn yòng yǐn yòng de de 来源lái yuán lái yuán 无法wú fǎ wú fǎ 核实hé shí hé shí
The core claim contains a factually accurate timeline, though the cited source cannot be verified.
 实际shí jì shí jì 事件shì jiàn shì jiàn 如下rú xià rú xià
The actual events are as follows: A significant Bluetooth vulnerability (CVE-2020-12856) was identified in the COVIDSafe app's Android version that could allow attackers to silently bond with vulnerable phones and conduct long-term device tracking [1]. **Timeline of response:** - **May 5, 2020**: Security researchers Jim Mussared (George Robotics) and Alwen Tiu (Australian National University) reported the vulnerability to the Digital Transformation Agency (DTA) [2] - **May 18, 2020**: Initial technical analysis was shared with developer teams [2] - **May 26, 2020**: The DTA released COVIDSafe version 1.0.18 with fixes to address the Bluetooth vulnerability [3] This represents a **21-day response period from initial notification (May 5) to public release of the fix (May 26)** [2][3].
 COVIDSafeCOVIDSafe COVIDSafe 应用程序yìng yòng chéng xù yìng yòng chéng xù 安卓ān zhuó ān zhuó 版本bǎn běn bǎn běn zhōng zhōng 发现fā xiàn fā xiàn le le 一个yí gè yí gè 重大zhòng dà zhòng dà 蓝牙lán yá lán yá 漏洞lòu dòng lòu dòng CVECVE CVE -- - 20202020 2020 -- - 1285612856 12856 可能kě néng kě néng 允许yǔn xǔ yǔn xǔ 攻击者gōng jī zhě gōng jī zhě zài zài 用户yòng hù yòng hù 不知情bù zhī qíng bù zhī qíng de de 情况qíng kuàng qíng kuàng xià xià 易受攻击yì shòu gōng jī yì shòu gōng jī de de 手机shǒu jī shǒu jī 配对pèi duì pèi duì bìng bìng 进行jìn xíng jìn xíng 长期cháng qī cháng qī 设备shè bèi shè bèi 追踪zhuī zōng zhuī zōng [[ [ 11 1 ]] ]
** * ** * 应对yìng duì yìng duì 时间shí jiān shí jiān 线xiàn xiàn ** * ** *
-- - ** * ** * 20202020 2020 nián nián 55 5 yuè yuè 55 5 ** * ** * 安全ān quán ān quán 研究yán jiū yán jiū 人员rén yuán rén yuán JimJim Jim MussaredMussared Mussared GeorgeGeorge George RoboticsRobotics Robotics AlwenAlwen Alwen TiuTiu Tiu AustralianAustralian Australian NationalNational National UniversityUniversity University xiàng xiàng DigitalDigital Digital TransformationTransformation Transformation AgencyAgency Agency DTADTA DTA 报告bào gào bào gào le le gāi gāi 漏洞lòu dòng lòu dòng [[ [ 22 2 ]] ]
-- - ** * ** * 20202020 2020 nián nián 55 5 yuè yuè 1818 18 ** * ** * 初步chū bù chū bù 技术jì shù jì shù 分析fēn xī fēn xī 开发kāi fā kāi fā 团队tuán duì tuán duì 共享gòng xiǎng gòng xiǎng [[ [ 22 2 ]] ]
-- - ** * ** * 20202020 2020 nián nián 55 5 yuè yuè 2626 26 ** * ** * DTADTA DTA 发布fā bù fā bù le le COVIDSafeCOVIDSafe COVIDSafe 1.01.0 1.0 .. . 1818 18 版本bǎn běn bǎn běn 修复xiū fù xiū fù le le gāi gāi 蓝牙lán yá lán yá 漏洞lòu dòng lòu dòng [[ [ 33 3 ]] ]
zhè zhè 代表dài biǎo dài biǎo cóng cóng ** * ** * 最初zuì chū zuì chū 接到jiē dào jiē dào 通知tōng zhī tōng zhī 55 5 yuè yuè 55 5 dào dào 公开gōng kāi gōng kāi 发布fā bù fā bù 修复xiū fù xiū fù 55 5 yuè yuè 2626 26 gòng gòng 2121 21 tiān tiān de de 应对yìng duì yìng duì ** * ** * [[ [ 22 2 ]] ] [[ [ 33 3 ]] ]

缺失背景

gāi gāi 说法shuō fǎ shuō fǎ 忽略hū lüè hū lüè le le 几个jǐ gè jǐ gè 影响yǐng xiǎng yǐng xiǎng 如何rú hé rú hé 评估píng gū píng gū zhè zhè 一应yī yīng yī yīng duì duì 时间shí jiān shí jiān de de 重要zhòng yào zhòng yào 背景bèi jǐng bèi jǐng 因素yīn sù yīn sù
The claim omits several important contextual factors that affect how to evaluate this response time: **1.
 ** * ** * 11 1 .. . 漏洞lòu dòng lòu dòng de de 性质xìng zhì xìng zhì 严重yán zhòng yán zhòng 程度chéng dù chéng dù ** * ** *
Nature and Severity of the Vulnerability** The vulnerability, while serious, was not immediately exploitable or affecting all devices.
 尽管jǐn guǎn jǐn guǎn gāi gāi 漏洞lòu dòng lòu dòng 严重yán zhòng yán zhòng dàn dàn 并非bìng fēi bìng fēi 立即lì jí lì jí bèi bèi 利用lì yòng lì yòng huò huò 影响yǐng xiǎng yǐng xiǎng 所有suǒ yǒu suǒ yǒu 设备shè bèi shè bèi
It required attackers to be in Bluetooth range of a device running the older version of the app [1].
 攻击者gōng jī zhě gōng jī zhě 需要xū yào xū yào zài zài 运行yùn xíng yùn xíng 旧版本jiù bǎn běn jiù bǎn běn 应用程序yìng yòng chéng xù yìng yòng chéng xù de de 设备shè bèi shè bèi de de 蓝牙lán yá lán yá 范围fàn wéi fàn wéi nèi nèi [[ [ 11 1 ]] ]
The vulnerability only affected Android devices running COVIDSafe v1.0.17 and earlier [1]. **2.
 gāi gāi 漏洞lòu dòng lòu dòng jǐn jǐn 影响yǐng xiǎng yǐng xiǎng 运行yùn xíng yùn xíng COVIDSafeCOVIDSafe COVIDSafe v1.0v1.0 v1.0 .. . 1717 17 gèng gèng zǎo zǎo 版本bǎn běn bǎn běn de de 安卓ān zhuó ān zhuó 设备shè bèi shè bèi [[ [ 11 1 ]] ]
Responsible Disclosure Process** The researchers followed responsible disclosure practices, reporting the vulnerability through DTA rather than publicly disclosing it, which allowed time for a coordinated fix [2].
 ** * ** * 22 2 .. . 负责fù zé fù zé rèn rèn de de 披露pī lù pī lù 流程liú chéng liú chéng ** * ** *
A formal embargo window of approximately 28 days was established (May 19 to May 26, 2020) to allow developers to prepare patches without immediate public knowledge [2]. **3.
 研究yán jiū yán jiū 人员rén yuán rén yuán 遵循zūn xún zūn xún le le 负责fù zé fù zé rèn rèn de de 披露pī lù pī lù 实践shí jiàn shí jiàn 通过tōng guò tōng guò DTADTA DTA ér ér fēi fēi 公开gōng kāi gōng kāi 披露pī lù pī lù lái lái 报告bào gào bào gào gāi gāi 漏洞lòu dòng lòu dòng 这为zhè wèi zhè wèi 协调xié tiáo xié tiáo 修复xiū fù xiū fù 争取zhēng qǔ zhēng qǔ le le 时间shí jiān shí jiān [[ [ 22 2 ]] ]
Actual Response Actions Within the Timeline** Rather than being idle, the DTA actively worked during this period: - Analyzed the technical details of the vulnerability [2] - Coordinated with development teams [2] - Implemented multiple security improvements in version 1.0.18, not just a quick patch [3] - The release included changes to contact tracing protocol frequency (from every 2 hours to every 7.5 minutes, reducing exposure time by up to 93%) [3] - Added additional encryption layers for digital handshakes [3] - Provided users the option to remove device names from Bluetooth exposure [3] **4.
 建立jiàn lì jiàn lì le le yuē yuē 2828 28 tiān tiān de de 正式zhèng shì zhèng shì 禁发jìn fā jìn fā 窗口chuāng kǒu chuāng kǒu 20202020 2020 nián nián 55 5 yuè yuè 1919 19 日至rì zhì rì zhì 55 5 yuè yuè 2626 26 允许yǔn xǔ yǔn xǔ 开发者kāi fā zhě kāi fā zhě zài zài 立即lì jí lì jí 公开gōng kāi gōng kāi de de 情况qíng kuàng qíng kuàng xià xià 准备zhǔn bèi zhǔn bèi 补丁bǔ dīng bǔ dīng [[ [ 22 2 ]] ]
Concurrent Vulnerabilities Discovered** Additional Bluetooth privacy issues were identified by Jim Mussared and Eleanor McMurty related to transmission of unencrypted device identifiers [2].
 ** * ** * 33 3 .. . 时间shí jiān shí jiān 线内xiàn nèi xiàn nèi de de 实际shí jì shí jì 应对yìng duì yìng duì 行动xíng dòng xíng dòng ** * ** *
These were addressed concurrently with the CVE-2020-12856 fix. **5.
 DTADTA DTA 在此期间zài cǐ qī jiān zài cǐ qī jiān 并非bìng fēi bìng fēi 无所作为wú suǒ zuò wéi wú suǒ zuò wéi 而是ér shì ér shì 积极jī jí jī jí 工作gōng zuò gōng zuò
Broader Context of App Development** This was not a simple security patch but a substantial update to the app's core Bluetooth contact tracing protocol.
 -- - 分析fēn xī fēn xī le le 漏洞lòu dòng lòu dòng de de 技术细节jì shù xì jié jì shù xì jié [[ [ 22 2 ]] ]
The 21-day timeline included design, implementation, testing, and deployment of these changes. **6.
 -- - 开发kāi fā kāi fā 团队tuán duì tuán duì 协调xié tiáo xié tiáo [[ [ 22 2 ]] ]
Industry Context for Response Times** Industry standards for critical vulnerability response vary: - CISA (U.S.
 -- - zài zài 1.01.0 1.0 .. . 1818 18 版本bǎn běn bǎn běn zhōng zhōng 实施shí shī shí shī le le 多项duō xiàng duō xiàng 安全ān quán ān quán 改进gǎi jìn gǎi jìn 不仅仅bù jǐn jǐn bù jǐn jǐn shì shì 快速kuài sù kuài sù 修补xiū bǔ xiū bǔ [[ [ 33 3 ]] ]
Cybersecurity and Infrastructure Security Agency) recommends 15 days for critical vulnerabilities [4] - Standard responsible disclosure windows are typically 90 days from vendor notification to public release [4] - High-risk vulnerabilities typically have 30-day response targets [4] The DTA's 21-day response to a critical vulnerability falls **within industry standards** and actually represents a relatively fast response given the complexity of the fix [4].
 -- - gāi gāi 版本bǎn běn bǎn běn 包括bāo kuò bāo kuò duì duì 接触jiē chù jiē chù 追踪zhuī zōng zhuī zōng 协议xié yì xié yì 频率pín lǜ pín lǜ de de 更改gēng gǎi gēng gǎi cóng cóng měi měi 22 2 小时xiǎo shí xiǎo shí 改为gǎi wéi gǎi wéi měi měi 7.57.5 7.5 分钟fēn zhōng fēn zhōng jiāng jiāng 暴露bào lù bào lù 时间shí jiān shí jiān 减少jiǎn shǎo jiǎn shǎo 高达gāo dá gāo dá 93%93% 93% [[ [ 33 3 ]] ]
-- - wèi wèi 数字shù zì shù zì 握手wò shǒu wò shǒu 添加tiān jiā tiān jiā le le 额外é wài é wài de de 加密jiā mì jiā mì céng céng [[ [ 33 3 ]] ]
-- - wèi wèi 用户yòng hù yòng hù 提供tí gōng tí gōng cóng cóng 蓝牙lán yá lán yá 暴露bào lù bào lù zhōng zhōng 移除yí chú yí chú 设备shè bèi shè bèi 名称míng chēng míng chēng de de 选项xuǎn xiàng xuǎn xiàng [[ [ 33 3 ]] ]
** * ** * 44 4 .. . 同时tóng shí tóng shí 发现fā xiàn fā xiàn de de 其他qí tā qí tā 漏洞lòu dòng lòu dòng ** * ** *
JimJim Jim MussaredMussared Mussared EleanorEleanor Eleanor McMurtyMcMurty McMurty 发现fā xiàn fā xiàn le le 传输chuán shū chuán shū wèi wèi 加密jiā mì jiā mì 设备shè bèi shè bèi 标识符biāo shí fú biāo shí fú 相关xiāng guān xiāng guān de de 额外é wài é wài 蓝牙lán yá lán yá 隐私yǐn sī yǐn sī 问题wèn tí wèn tí [[ [ 22 2 ]] ]
这些zhè xiē zhè xiē 问题wèn tí wèn tí CVECVE CVE -- - 20202020 2020 -- - 1285612856 12856 de de 修复xiū fù xiū fù 同时tóng shí tóng shí 得到dé dào dé dào 解决jiě jué jiě jué
** * ** * 55 5 .. . 应用yìng yòng yìng yòng 程序开发chéng xù kāi fā chéng xù kāi fā de de gèng gèng 广泛guǎng fàn guǎng fàn 背景bèi jǐng bèi jǐng ** * ** *
zhè zhè 并非bìng fēi bìng fēi 简单jiǎn dān jiǎn dān de de 安全补丁ān quán bǔ dīng ān quán bǔ dīng 而是ér shì ér shì duì duì 应用程序yìng yòng chéng xù yìng yòng chéng xù 核心hé xīn hé xīn 蓝牙lán yá lán yá 接触jiē chù jiē chù 追踪zhuī zōng zhuī zōng 协议xié yì xié yì de de 重大zhòng dà zhòng dà 更新gēng xīn gēng xīn
2121 21 tiān tiān de de 时间shí jiān shí jiān 线xiàn xiàn 包括bāo kuò bāo kuò 这些zhè xiē zhè xiē 更改gēng gǎi gēng gǎi de de 设计shè jì shè jì 实施shí shī shí shī 测试cè shì cè shì 部署bù shǔ bù shǔ
** * ** * 66 6 .. . 应对yìng duì yìng duì 时间shí jiān shí jiān de de 行业háng yè háng yè 背景bèi jǐng bèi jǐng ** * ** *
关键guān jiàn guān jiàn 漏洞lòu dòng lòu dòng 应对yìng duì yìng duì de de 行业标准háng yè biāo zhǔn háng yè biāo zhǔn 各不相同gè bù xiāng tóng gè bù xiāng tóng
-- - CISACISA CISA 美国měi guó měi guó 网络安全wǎng luò ān quán wǎng luò ān quán 基础设施jī chǔ shè shī jī chǔ shè shī 安全局ān quán jú ān quán jú 建议jiàn yì jiàn yì 关键guān jiàn guān jiàn 漏洞lòu dòng lòu dòng 1515 15 天内tiān nèi tiān nèi 修复xiū fù xiū fù [[ [ 44 4 ]] ]
-- - 标准biāo zhǔn biāo zhǔn 负责fù zé fù zé rèn rèn 披露pī lù pī lù 窗口chuāng kǒu chuāng kǒu 通常tōng cháng tōng cháng 是从shì cóng shì cóng 厂商chǎng shāng chǎng shāng 通知tōng zhī tōng zhī dào dào 公开gōng kāi gōng kāi 发布fā bù fā bù 9090 90 tiān tiān [[ [ 44 4 ]] ]
-- - 高风险gāo fēng xiǎn gāo fēng xiǎn 漏洞lòu dòng lòu dòng 通常tōng cháng tōng cháng yǒu yǒu 3030 30 tiān tiān de de 应对yìng duì yìng duì 目标mù biāo mù biāo [[ [ 44 4 ]] ]
DTADTA DTA duì duì 关键guān jiàn guān jiàn 漏洞lòu dòng lòu dòng 2121 21 tiān tiān de de 应对yìng duì yìng duì 时间shí jiān shí jiān ** * ** * 符合fú hé fú hé 行业标准háng yè biāo zhǔn háng yè biāo zhǔn ** * ** * 考虑kǎo lǜ kǎo lǜ dào dào 修复xiū fù xiū fù de de 复杂性fù zá xìng fù zá xìng 实际上shí jì shàng shí jì shàng 代表dài biǎo dài biǎo le le 一个yí gè yí gè 相对xiāng duì xiāng duì jiào jiào kuài kuài de de 应对yìng duì yìng duì [[ [ 44 4 ]] ]

来源可信度评估

** * ** * 关键guān jiàn guān jiàn 发现fā xiàn fā xiàn ** * ** * 引用yǐn yòng yǐn yòng de de ZDNetZDNet ZDNet 文章wén zhāng wén zhāng URLURL URL httpshttps https :: : // / // / wwwwww www .. . zdnetzdnet zdnet .. . comcom com // / articlearticle article // / dtadta dta -- - fixedfixed fixed -- - covidsafecovidsafe covidsafe -- - bluetoothbluetooth bluetooth -- - vulnerabilityvulnerability vulnerability -- - 2121 21 -- - daysdays days -- - afterafter after -- - itit it -- - waswas was -- - notifiednotified notified // / 无法wú fǎ wú fǎ 核实hé shí hé shí zài zài 可用kě yòng kě yòng de de 档案dàng àn dàng àn huò huò 搜索sōu suǒ sōu suǒ 结果jié guǒ jié guǒ zhōng zhōng 似乎sì hū sì hū 存在cún zài cún zài [[ [ 55 5 ]] ]
**Critical Finding**: The cited ZDNet article URL (https://www.zdnet.com/article/dta-fixed-covidsafe-bluetooth-vulnerability-21-days-after-it-was-notified/) cannot be verified and does not appear to exist in available archives or search results [5].
 zài zài 多个duō gè duō gè 来源lái yuán lái yuán zhōng zhōng 进行jìn xíng jìn xíng 广泛guǎng fàn guǎng fàn 搜索sōu suǒ sōu suǒ 包括bāo kuò bāo kuò 缓存huǎn cún huǎn cún 版本bǎn běn bǎn běn ZDNetZDNet ZDNet 自己zì jǐ zì jǐ de de 档案dàng àn dàng àn jūn jūn wèi wèi 发现fā xiàn fā xiàn gāi gāi 文章wén zhāng wén zhāng céng céng bèi bèi 发布fā bù fā bù de de 证据zhèng jù zhèng jù
Extensive searches across multiple sources, including cached versions and ZDNet's own archives, yielded no evidence that this article was ever published. **Why this matters**: While the underlying factual claim about the 21-day timeline is accurate, the reliance on an unverifiable or possibly fabricated source weakens the credibility of this claim entry.
 ** * ** * 为何wèi hé wèi hé 重要zhòng yào zhòng yào ** * ** * 虽然suī rán suī rán 关于guān yú guān yú 2121 21 tiān tiān 时间shí jiān shí jiān 线xiàn xiàn de de 潜在qián zài qián zài 事实shì shí shì shí 说法shuō fǎ shuō fǎ shì shì 准确zhǔn què zhǔn què de de dàn dàn 依赖yī lài yī lài 无法wú fǎ wú fǎ 核实hé shí hé shí huò huò 可能kě néng kě néng 伪造wěi zào wěi zào de de 来源lái yuán lái yuán 削弱xuē ruò xuē ruò le le gāi gāi 说法shuō fǎ shuō fǎ tiáo tiáo 目的mù dì mù dì 可信度kě xìn dù kě xìn dù
The claim may represent genuine facts but uses an improper citation that cannot be independently verified. **Reliable sources for the actual timeline** include: - GitHub repository documenting the vulnerability (alwentiu/COVIDSafe-CVE-2020-12856) - created by one of the researchers who discovered it [2] - iTnews coverage of the fix [3] - Official DTA communications [3] These sources provide verifiable documentation of the May 5 to May 26 timeline.
 gāi gāi 说法shuō fǎ shuō fǎ 可能kě néng kě néng 代表dài biǎo dài biǎo 真实zhēn shí zhēn shí 事实shì shí shì shí dàn dàn 使用shǐ yòng shǐ yòng le le 无法wú fǎ wú fǎ 独立dú lì dú lì 核实hé shí hé shí de de 不当bù dàng bù dàng 引用yǐn yòng yǐn yòng
** * ** * 关于guān yú guān yú 实际shí jì shí jì 时间shí jiān shí jiān 线xiàn xiàn de de 可靠kě kào kě kào 来源lái yuán lái yuán ** * ** * 包括bāo kuò bāo kuò
-- - 记录jì lù jì lù gāi gāi 漏洞lòu dòng lòu dòng de de GitHubGitHub GitHub 仓库cāng kù cāng kù alwentiualwentiu alwentiu // / COVIDSafeCOVIDSafe COVIDSafe -- - CVECVE CVE -- - 20202020 2020 -- - 1285612856 12856 yóu yóu 发现fā xiàn fā xiàn gāi gāi 漏洞lòu dòng lòu dòng de de 研究yán jiū yán jiū 人员rén yuán rén yuán 之一zhī yī zhī yī 创建chuàng jiàn chuàng jiàn [[ [ 22 2 ]] ]
-- - iTnewsiTnews iTnews 关于guān yú guān yú 修复xiū fù xiū fù de de 报道bào dào bào dào [[ [ 33 3 ]] ]
-- - DTADTA DTA 官方guān fāng guān fāng 通讯tōng xùn tōng xùn [[ [ 33 3 ]] ]
这些zhè xiē zhè xiē 来源lái yuán lái yuán 提供tí gōng tí gōng le le 55 5 yuè yuè 55 5 日至rì zhì rì zhì 55 5 yuè yuè 2626 26 时间shí jiān shí jiān 线xiàn xiàn de de 核实hé shí hé shí 文件wén jiàn wén jiàn
⚖️

工党对比

** * ** * LaborLabor Labor 是否shì fǒu shì fǒu 做过zuò guò zuò guò 类似lèi sì lèi sì de de 事情shì qíng shì qíng
**Did Labor do something similar?** Search conducted: "Labor government cybersecurity vulnerability response time" and "Australian government contact tracing security incidents" **Finding**: The Labor government has had mixed cybersecurity responses: Under the current Albanese Labor government (since 2022), Services Australia's MyGov platform experienced prolonged security vulnerabilities that persisted far longer than 21 days: - More than 10,000 reports of MyGov account misuse in 2024, nearly double the 2023 figure [6] - Inadequate security controls allowed criminals to link legitimate accounts to fake accounts [6] - An Australian National Audit Office (ANAO) report in June 2024 found Services Australia was unprepared for "a significant or reportable cyber security incident" [6] - Security improvements (passkeys) were only added to MyGov in July 2024, after months of rising security complaints [6] Under the Rudd/Gillard Labor governments (2007-2013), there was a parliamentary email hack in 2011 that potentially compromised computers of PM Julia Gillard and other ministers, but minimal publicly available information exists about the response timeline or scope [6]. **Comparison**: The COVIDSafe 21-day response time to a known vulnerability appears significantly better than: - Labor's MyGov response to account security issues (months, not 21 days) [6] - Government-wide responsiveness to security incidents (ANAO audit found agencies unprepared) [6] The DTA's response to CVE-2020-12856 represents a competent, industry-standard timeline, and appears more responsive than Labor government security responses to comparable issues.
 ** * ** *
搜索sōu suǒ sōu suǒ 内容nèi róng nèi róng "" " LaborLabor Labor 政府zhèng fǔ zhèng fǔ 网络安全wǎng luò ān quán wǎng luò ān quán 漏洞lòu dòng lòu dòng 应对yìng duì yìng duì 时间shí jiān shí jiān "" " "" " AustralianAustralian Australian governmentgovernment government contactcontact contact tracingtracing tracing securitysecurity security incidentsincidents incidents "" "
** * ** * 发现fā xiàn fā xiàn ** * ** * LaborLabor Labor 政府zhèng fǔ zhèng fǔ de de 网络安全wǎng luò ān quán wǎng luò ān quán 应对yìng duì yìng duì 表现biǎo xiàn biǎo xiàn
zài zài 现任xiàn rèn xiàn rèn AlbaneseAlbanese Albanese LaborLabor Labor 政府zhèng fǔ zhèng fǔ 20222022 2022 nián nián 以来yǐ lái yǐ lái xià xià ServicesServices Services AustraliaAustralia Australia de de MyGovMyGov MyGov 平台píng tái píng tái 经历jīng lì jīng lì le le 持续时间chí xù shí jiān chí xù shí jiān 远超过yuǎn chāo guò yuǎn chāo guò 2121 21 tiān tiān de de 安全漏洞ān quán lòu dòng ān quán lòu dòng
-- - 20242024 2024 nián nián 超过chāo guò chāo guò 1010 10 ,, , 000000 000 MyGovMyGov MyGov 账户zhàng hù zhàng hù 滥用làn yòng làn yòng 报告bào gào bào gào 几乎jī hū jī hū shì shì 20232023 2023 nián nián 数字shù zì shù zì de de 两倍liǎng bèi liǎng bèi [[ [ 66 6 ]] ]
-- - 充分chōng fèn chōng fèn de de 安全控制ān quán kòng zhì ān quán kòng zhì 允许yǔn xǔ yǔn xǔ 犯罪分子fàn zuì fèn zǐ fàn zuì fèn zǐ jiāng jiāng 合法hé fǎ hé fǎ 账户zhàng hù zhàng hù 链接liàn jiē liàn jiē dào dào 虚假xū jiǎ xū jiǎ 账户zhàng hù zhàng hù [[ [ 66 6 ]] ]
-- - AustralianAustralian Australian NationalNational National AuditAudit Audit OfficeOffice Office ANAOANAO ANAO 20242024 2024 nián nián 66 6 yuè yuè de de 报告bào gào bào gào 发现fā xiàn fā xiàn ServicesServices Services AustraliaAustralia Australia duì duì "" " 重大zhòng dà zhòng dà huò huò 报告bào gào bào gào de de 网络安全wǎng luò ān quán wǎng luò ān quán 事件shì jiàn shì jiàn "" " 准备zhǔn bèi zhǔn bèi 不足bù zú bù zú [[ [ 66 6 ]] ]
-- - 安全ān quán ān quán 改进gǎi jìn gǎi jìn 通行tōng xíng tōng xíng 密钥mì yào mì yào 直到zhí dào zhí dào 20242024 2024 nián nián 77 7 yuè yuè cái cái 添加tiān jiā tiān jiā dào dào MyGovMyGov MyGov 此前cǐ qián cǐ qián 数月shù yuè shù yuè 安全ān quán ān quán 投诉tóu sù tóu sù 不断bù duàn bù duàn 增加zēng jiā zēng jiā [[ [ 66 6 ]] ]
zài zài RuddRudd Rudd // / GillardGillard Gillard LaborLabor Labor 政府zhèng fǔ zhèng fǔ 20072007 2007 -- - 20132013 2013 nián nián xià xià 20112011 2011 nián nián 发生fā shēng fā shēng le le 议会yì huì yì huì 电子邮件diàn zi yóu jiàn diàn zi yóu jiàn 黑客hēi kè hēi kè 事件shì jiàn shì jiàn 可能kě néng kě néng 危及wēi jí wēi jí 总理zǒng lǐ zǒng lǐ JuliaJulia Julia GillardGillard Gillard 其他qí tā qí tā 部长bù zhǎng bù zhǎng de de 电脑diàn nǎo diàn nǎo dàn dàn 关于guān yú guān yú 应对yìng duì yìng duì 时间shí jiān shí jiān 线或xiàn huò xiàn huò 范围fàn wéi fàn wéi de de 公开gōng kāi gōng kāi 信息xìn xī xìn xī 很少hěn shǎo hěn shǎo [[ [ 66 6 ]] ]
** * ** * 比较bǐ jiào bǐ jiào ** * ** * COVIDSafeCOVIDSafe COVIDSafe duì duì 识别shí bié shí bié 漏洞lòu dòng lòu dòng 2121 21 tiān tiān de de 应对yìng duì yìng duì 时间shí jiān shí jiān 似乎sì hū sì hū 显著xiǎn zhù xiǎn zhù 优于yōu yú yōu yú
-- - LaborLabor Labor duì duì MyGovMyGov MyGov 账户zhàng hù zhàng hù 安全ān quán ān quán 问题wèn tí wèn tí de de 应对yìng duì yìng duì 数月shù yuè shù yuè ér ér fēi fēi 2121 21 tiān tiān [[ [ 66 6 ]] ]
-- - 政府zhèng fǔ zhèng fǔ duì duì 安全事件ān quán shì jiàn ān quán shì jiàn de de 普遍pǔ biàn pǔ biàn 响应xiǎng yìng xiǎng yìng ANAOANAO ANAO 审计shěn jì shěn jì 发现fā xiàn fā xiàn 机构jī gòu jī gòu 准备zhǔn bèi zhǔn bèi 不足bù zú bù zú [[ [ 66 6 ]] ]
DTADTA DTA duì duì CVECVE CVE -- - 20202020 2020 -- - 1285612856 12856 de de 应对yìng duì yìng duì 代表dài biǎo dài biǎo le le 称职chèn zhí chèn zhí de de 符合fú hé fú hé 行业标准háng yè biāo zhǔn háng yè biāo zhǔn de de 应对yìng duì yìng duì 时间shí jiān shí jiān 似乎sì hū sì hū LaborLabor Labor 政府zhèng fǔ zhèng fǔ duì duì 类似lèi sì lèi sì 问题wèn tí wèn tí de de 安全ān quán ān quán 应对yìng duì yìng duì 更为gèng wéi gèng wéi 迅速xùn sù xùn sù [[ [ 66 6 ]] ]
🌐

平衡视角

虽然suī rán suī rán 批评者pī píng zhě pī píng zhě 可能kě néng kě néng huì huì 认为rèn wéi rèn wéi zài zài 公共卫生gōng gòng wèi shēng gōng gòng wèi shēng 应用程序yìng yòng chéng xù yìng yòng chéng xù zhōng zhōng 2121 21 tiān tiān de de 安全漏洞ān quán lòu dòng ān quán lòu dòng 应对yìng duì yìng duì 时间shí jiān shí jiān 令人担忧lìng rén dān yōu lìng rén dān yōu dàn dàn 平衡píng héng píng héng de de 评估píng gū píng gū 揭示jiē shì jiē shì le le 几个jǐ gè jǐ gè 重要zhòng yào zhòng yào 视角shì jiǎo shì jiǎo
While critics could argue that a 21-day response time is concerning for a security vulnerability in a public health app, a balanced assessment reveals several important perspectives: **The Critical Perspective:** Critics could argue that any delay in fixing a known security vulnerability in a widely-deployed public health app is problematic, particularly one enabling tracking of users [7].
 ** * ** * 批评pī píng pī píng 视角shì jiǎo shì jiǎo ** * ** *
Contact tracing apps handle sensitive health data, and vulnerabilities should theoretically be patched immediately. **The Operational Reality:** However, the DTA's response reflects responsible security practices: 1.
 批评者pī píng zhě pī píng zhě 可能kě néng kě néng huì huì 认为rèn wéi rèn wéi zài zài 广泛guǎng fàn guǎng fàn 部署bù shǔ bù shǔ de de 公共卫生gōng gòng wèi shēng gōng gòng wèi shēng 应用程序yìng yòng chéng xù yìng yòng chéng xù zhōng zhōng 任何rèn hé rèn hé 修复xiū fù xiū fù 已知yǐ zhī yǐ zhī 安全漏洞ān quán lòu dòng ān quán lòu dòng de de 延迟yán chí yán chí dōu dōu shì shì yǒu yǒu 问题wèn tí wèn tí de de 特别tè bié tè bié shì shì 那种nà zhǒng nà zhǒng 允许yǔn xǔ yǔn xǔ 追踪zhuī zōng zhuī zōng 用户yòng hù yòng hù de de 漏洞lòu dòng lòu dòng [[ [ 77 7 ]] ]
The researchers followed ethical disclosure protocols rather than public shaming [2] 2.
 接触jiē chù jiē chù 追踪zhuī zōng zhuī zōng 应用yìng yòng yìng yòng 程序处理chéng xù chǔ lǐ chéng xù chǔ lǐ 敏感mǐn gǎn mǐn gǎn 健康jiàn kāng jiàn kāng 数据shù jù shù jù 理论lǐ lùn lǐ lùn shàng shàng 漏洞lòu dòng lòu dòng 应该yīng gāi yīng gāi 立即lì jí lì jí 修补xiū bǔ xiū bǔ
The fix was not a simple patch—it involved redesigning core protocol elements [3] 3.
 ** * ** * 操作cāo zuò cāo zuò 现实xiàn shí xiàn shí ** * ** *
The response time of 21 days falls within industry standards (CISA recommends 15 days; standard practice is 30-90 days) [4] 4.
 然而rán ér rán ér DTADTA DTA de de 应对yìng duì yìng duì 反映fǎn yìng fǎn yìng le le 负责fù zé fù zé rèn rèn de de 安全ān quán ān quán 实践shí jiàn shí jiàn
The coordinated disclosure process prevented exploitation during the window while the fix was being prepared [2] 5.
 11 1 .. . 研究yán jiū yán jiū 人员rén yuán rén yuán 遵循zūn xún zūn xún le le 道德dào dé dào dé 披露pī lù pī lù 协议xié yì xié yì ér ér fēi fēi 公开gōng kāi gōng kāi 羞辱xiū rǔ xiū rǔ [[ [ 22 2 ]] ]
The final release included comprehensive security improvements beyond the minimum necessary fix [3] **Expert Assessment:** Security researchers who identified the vulnerability did not publicly condemn the response timeline.
 22 2 .. . 修复xiū fù xiū fù 并非bìng fēi bìng fēi 简单jiǎn dān jiǎn dān 补丁bǔ dīng bǔ dīng 涉及shè jí shè jí 重新chóng xīn chóng xīn 设计shè jì shè jì 核心hé xīn hé xīn 协议xié yì xié yì 元素yuán sù yuán sù [[ [ 33 3 ]] ]
The GitHub repository documenting the CVE appears satisfied with the coordinated disclosure process and the thoroughness of the fix [2]. **Comparative Context:** This response compares favorably to: - Current Labor government handling of MyGov security (months vs. 21 days) [6] - Global contact tracing app security in 2020 (many had far worse vulnerabilities that went unfixed) [8] - Other government cybersecurity responses across both parties (typically slower) [6]
 33 3 .. . 2121 21 tiān tiān de de 应对yìng duì yìng duì 时间shí jiān shí jiān 符合fú hé fú hé 行业标准háng yè biāo zhǔn háng yè biāo zhǔn CISACISA CISA 建议jiàn yì jiàn yì 1515 15 tiān tiān 标准biāo zhǔn biāo zhǔn 实践shí jiàn shí jiàn shì shì 3030 30 -- - 9090 90 tiān tiān [[ [ 44 4 ]] ]
44 4 .. . 协调xié tiáo xié tiáo 披露pī lù pī lù 过程guò chéng guò chéng zài zài 准备zhǔn bèi zhǔn bèi 修复xiū fù xiū fù 期间qī jiān qī jiān 防止fáng zhǐ fáng zhǐ le le 利用lì yòng lì yòng [[ [ 22 2 ]] ]
55 5 .. . 最终zuì zhōng zuì zhōng 版本bǎn běn bǎn běn 包含bāo hán bāo hán le le 超出chāo chū chāo chū 最低zuì dī zuì dī 必要bì yào bì yào 修复xiū fù xiū fù de de 全面quán miàn quán miàn 安全ān quán ān quán 改进gǎi jìn gǎi jìn [[ [ 33 3 ]] ]
** * ** * 专家zhuān jiā zhuān jiā 评估píng gū píng gū ** * ** *
发现fā xiàn fā xiàn gāi gāi 漏洞lòu dòng lòu dòng de de 安全ān quán ān quán 研究yán jiū yán jiū 人员rén yuán rén yuán 没有méi yǒu méi yǒu 公开gōng kāi gōng kāi 谴责qiǎn zé qiǎn zé 应对yìng duì yìng duì 时间shí jiān shí jiān 线xiàn xiàn
记录jì lù jì lù CVECVE CVE de de GitHubGitHub GitHub 仓库cāng kù cāng kù 似乎sì hū sì hū duì duì 协调xié tiáo xié tiáo 披露pī lù pī lù 流程liú chéng liú chéng 修复xiū fù xiū fù de de 彻底性chè dǐ xìng chè dǐ xìng 感到gǎn dào gǎn dào 满意mǎn yì mǎn yì [[ [ 22 2 ]] ]
** * ** * 比较bǐ jiào bǐ jiào 背景bèi jǐng bèi jǐng ** * ** *
zhè zhè 一应yī yīng yī yīng duì duì 相比xiāng bǐ xiāng bǐ 以下yǐ xià yǐ xià 情况qíng kuàng qíng kuàng 更为gèng wéi gèng wéi 有利yǒu lì yǒu lì
-- - 现任xiàn rèn xiàn rèn LaborLabor Labor 政府zhèng fǔ zhèng fǔ duì duì MyGovMyGov MyGov 安全ān quán ān quán de de 处理chǔ lǐ chǔ lǐ 数月shù yuè shù yuè vsvs vs 2121 21 tiān tiān [[ [ 66 6 ]] ]
-- - 20202020 2020 nián nián 全球quán qiú quán qiú 接触jiē chù jiē chù 追踪zhuī zōng zhuī zōng 应用程序yìng yòng chéng xù yìng yòng chéng xù 安全ān quán ān quán 许多xǔ duō xǔ duō 存在cún zài cún zài gèng gèng 严重yán zhòng yán zhòng de de 漏洞lòu dòng lòu dòng wèi wèi 修复xiū fù xiū fù [[ [ 88 8 ]] ]
-- - 两党liǎng dǎng liǎng dǎng 其他qí tā qí tā 政府zhèng fǔ zhèng fǔ 网络安全wǎng luò ān quán wǎng luò ān quán 应对yìng duì yìng duì 通常tōng cháng tōng cháng 更慢gèng màn gèng màn [[ [ 66 6 ]] ]

部分属实

6.0

/ 10

关于guān yú guān yú 修复xiū fù xiū fù 漏洞lòu dòng lòu dòng huā huā le le 2121 21 tiān tiān de de 说法shuō fǎ shuō fǎ 根据gēn jù gēn jù 时间shí jiān shí jiān 线xiàn xiàn 20202020 2020 nián nián 55 5 yuè yuè 55 5 日至rì zhì rì zhì 55 5 yuè yuè 2626 26 zài zài 事实上shì shí shàng shì shí shàng shì shì 准确zhǔn què zhǔn què de de
The factual claim that it took 21 days to fix the vulnerability is accurate based on the timeline (May 5 to May 26, 2020).
 然而rán ér rán ér 判决pàn jué pàn jué 结果jié guǒ jié guǒ shì shì "" " 部分bù fèn bù fèn 属实shǔ shí shǔ shí "" " ér ér fēi fēi "" " 属实shǔ shí shǔ shí "" " 原因yuán yīn yuán yīn 如下rú xià rú xià
However, the verdict is "partially true" rather than "true" for these reasons: 1. **The cited source cannot be verified**: The ZDNet article URL provided does not appear to exist, undermining the credibility of the claim's sourcing [5] 2. **The framing implies culpable negligence**: The claim's phrasing ("took 21 days") suggests unacceptable delays, when the 21-day timeline actually represents a competent, industry-standard response [4] 3. **Context is critical**: The 21 days involved not just fixing a bug but redesigning security protocols, implementing additional protections, and following responsible disclosure practices [2][3] 4. **The vulnerability was known but managed**: This was not an undetected vulnerability discovered by external attackers—it was discovered through responsible research and handled through coordinated disclosure [2]
 11 1 .. . ** * ** * 引用yǐn yòng yǐn yòng de de 来源lái yuán lái yuán 无法wú fǎ wú fǎ 核实hé shí hé shí ** * ** * 提供tí gōng tí gōng de de ZDNetZDNet ZDNet 文章wén zhāng wén zhāng URLURL URL 似乎sì hū sì hū 存在cún zài cún zài 削弱xuē ruò xuē ruò le le gāi gāi 说法shuō fǎ shuō fǎ 来源lái yuán lái yuán de de 可信度kě xìn dù kě xìn dù [[ [ 55 5 ]] ]
22 2 .. . ** * ** * 表述biǎo shù biǎo shù 暗示àn shì àn shì yīng yīng shòu shòu 指责zhǐ zé zhǐ zé de de 疏忽shū hū shū hū ** * ** * gāi gāi 说法shuō fǎ shuō fǎ de de 措辞cuò cí cuò cí "" " huā huā le le 2121 21 tiān tiān "" " 暗示àn shì àn shì 不可bù kě bù kě 接受jiē shòu jiē shòu de de 延迟yán chí yán chí ér ér 2121 21 tiān tiān de de 时间shí jiān shí jiān 线xiàn xiàn 实际上shí jì shàng shí jì shàng 代表dài biǎo dài biǎo le le 称职chèn zhí chèn zhí de de 符合fú hé fú hé 行业标准háng yè biāo zhǔn háng yè biāo zhǔn de de 应对yìng duì yìng duì [[ [ 44 4 ]] ]
33 3 .. . ** * ** * 背景bèi jǐng bèi jǐng 至关重要zhì guān zhòng yào zhì guān zhòng yào ** * ** * zhè zhè 2121 21 tiān tiān 不仅bù jǐn bù jǐn 涉及shè jí shè jí 修复xiū fù xiū fù 一个yí gè yí gè 错误cuò wù cuò wù hái hái 包括bāo kuò bāo kuò 重新chóng xīn chóng xīn 设计shè jì shè jì 安全ān quán ān quán 协议xié yì xié yì 实施shí shī shí shī 额外é wài é wài 保护措施bǎo hù cuò shī bǎo hù cuò shī 以及yǐ jí yǐ jí 遵循zūn xún zūn xún 负责fù zé fù zé rèn rèn 披露pī lù pī lù 实践shí jiàn shí jiàn [[ [ 22 2 ]] ] [[ [ 33 3 ]] ]
44 4 .. . ** * ** * 漏洞lòu dòng lòu dòng shì shì 已知yǐ zhī yǐ zhī de de dàn dàn 得到dé dào dé dào le le 管理guǎn lǐ guǎn lǐ ** * ** * zhè zhè 并非bìng fēi bìng fēi yóu yóu 外部wài bù wài bù 攻击者gōng jī zhě gōng jī zhě 发现fā xiàn fā xiàn de de wèi wèi 检测jiǎn cè jiǎn cè 漏洞lòu dòng lòu dòng shì shì 通过tōng guò tōng guò 负责fù zé fù zé rèn rèn de de 研究yán jiū yán jiū 发现fā xiàn fā xiàn de de bìng bìng 通过tōng guò tōng guò 协调xié tiáo xié tiáo 披露pī lù pī lù 得到dé dào dé dào 处理chǔ lǐ chǔ lǐ [[ [ 22 2 ]] ]

评分方法

1-3: 不实

事实错误或恶意捏造。

4-6: 部分属实

有一定真实性,但缺乏背景或有所偏颇。

7-9: 基本属实

仅有微小的技术性或措辞问题。

10: 准确

完全经过验证且客观公正。

方法论: 评分通过交叉参照政府官方记录、独立事实核查机构和原始文件确定。

Previous: C0191 Next: C0193