属实

评分: 8.5/10

报告问题
Coalition
C0195

声明内容

“部署COVIDSafe应用程序时忽视安全最佳实践,选择不运行漏洞赏金计划,选择不及时发布源代码,尽管曾承诺这样做,导致研究人员发现的多个漏洞被发现的时间远晚于应有的时间。”
新冠疫情 网络安全 科技
原始来源: Matthew Davis

原始来源

事实核查

关于guān yú guān yú 澳大利亚政府ào dà lì yà zhèng fǔ ào dà lì yà zhèng fǔ zài zài COVIDSafeCOVIDSafe COVIDSafe 应用程序yìng yòng chéng xù yìng yòng chéng xù shàng shàng 忽视hū shì hū shì 安全ān quán ān quán 最佳zuì jiā zuì jiā 实践shí jiàn shí jiàn de de 主张zhǔ zhāng zhǔ zhāng ** * ** * 基本jī běn jī běn 准确zhǔn què zhǔn què ** * ** * 尽管jǐn guǎn jǐn guǎn 需要xū yào xū yào duì duì 时间shí jiān shí jiān 背景bèi jǐng bèi jǐng 进行jìn xíng jìn xíng 重要zhòng yào zhòng yào 澄清chéng qīng chéng qīng
The claim that the Australian government ignored security best practices with the COVIDSafe app is **substantially accurate**, though it requires important clarification regarding timing and context. **Delayed Response to Vulnerabilities:** Within hours of COVIDSafe's release on April 26, 2020, security researcher Jim Mussared discovered multiple privacy issues in the Android version by 1:19am on April 27 [1].
 ** * ** * duì duì 漏洞lòu dòng lòu dòng de de 延迟yán chí yán chí 响应xiǎng yìng xiǎng yìng ** * ** * zài zài 20202020 2020 nián nián 44 4 yuè yuè 2626 26 发布fā bù fā bù COVIDSafeCOVIDSafe COVIDSafe hòu hòu de de shù shù 小时xiǎo shí xiǎo shí nèi nèi 安全ān quán ān quán 研究员yán jiū yuán yán jiū yuán JimJim Jim MussaredMussared Mussared 44 4 yuè yuè 2727 27 凌晨líng chén líng chén 11 1 :: : 1919 19 发现fā xiàn fā xiàn le le AndroidAndroid Android 版本bǎn běn bǎn běn zhōng zhōng de de 多个duō gè duō gè 隐私yǐn sī yǐn sī 问题wèn tí wèn tí [[ [ 11 1 ]] ]
He detailed these vulnerabilities in a comprehensive report and emailed the Department of Health, Digital Transformation Agency (DTA), Australian Signals Directorate (ASD), and the Australian Cyber Security Centre (ACSC) on April 27-28 [1].
 zài zài 综合zōng hé zōng hé 报告bào gào bào gào zhōng zhōng 详细xiáng xì xiáng xì 记录jì lù jì lù le le 这些zhè xiē zhè xiē 漏洞lòu dòng lòu dòng 并于bìng yú bìng yú 44 4 yuè yuè 2727 27 -- - 2828 28 日向rì xiàng rì xiàng 卫生部wèi shēng bù wèi shēng bù 数字shù zì shù zì 转型zhuǎn xíng zhuǎn xíng DTADTA DTA 澳大利亚ào dà lì yà ào dà lì yà 信号xìn hào xìn hào ASDASD ASD 澳大利亚ào dà lì yà ào dà lì yà 网络安全wǎng luò ān quán wǎng luò ān quán 中心zhōng xīn zhōng xīn ACSCACSC ACSC 发送fā sòng fā sòng le le 邮件yóu jiàn yóu jiàn [[ [ 11 1 ]] ]
However, Mussared only received a single-line response from the DTA a week later on May 5, and this response came only after media began making inquiries [1].
 然而rán ér rán ér MussaredMussared Mussared 直到zhí dào zhí dào 一周yī zhōu yī zhōu hòu hòu de de 55 5 yuè yuè 55 5 日才rì cái rì cái 收到shōu dào shōu dào DTADTA DTA de de 单行dān xíng dān xíng 回复huí fù huí fù 而且ér qiě ér qiě zhè zhè 只是zhǐ shì zhǐ shì zài zài 媒体méi tǐ méi tǐ 开始kāi shǐ kāi shǐ 询问xún wèn xún wèn 之后zhī hòu zhī hòu cái cái 收到shōu dào shōu dào de de [[ [ 11 1 ]] ]
In comparison, Mussared confirmed that he was able to reach Singapore's team (which developed TraceTogether, the app Australia modeled COVIDSafe on) within hours and had some issues fixed by them [1]. **No Formal Bug Bounty Program:** The government did not establish a formal bug bounty program for COVIDSafe.
 相比之下xiāng bǐ zhī xià xiāng bǐ zhī xià MussaredMussared Mussared 确认què rèn què rèn 能够néng gòu néng gòu zài zài shù shù 小时xiǎo shí xiǎo shí nèi nèi 联系lián xì lián xì dào dào 新加坡xīn jiā pō xīn jiā pō 团队tuán duì tuán duì 开发kāi fā kāi fā le le 澳大利亚ào dà lì yà ào dà lì yà COVIDSafeCOVIDSafe COVIDSafe suǒ suǒ 依据yī jù yī jù de de TraceTogetherTraceTogether TraceTogether 应用程序yìng yòng chéng xù yìng yòng chéng xù 并且bìng qiě bìng qiě 他们tā men tā men 修复xiū fù xiū fù le le 一些yī xiē yī xiē 问题wèn tí wèn tí [[ [ 11 1 ]] ]
According to cybersecurity experts quoted in authoritative sources, "the best practices would be a formal disclosure program and a bug bounty program, and a commitment to getting the bugs fixed" [1].
 ** * ** * 没有méi yǒu méi yǒu 正式zhèng shì zhèng shì de de 漏洞lòu dòng lòu dòng 赏金shǎng jīn shǎng jīn 计划jì huà jì huà ** * ** * 政府zhèng fǔ zhèng fǔ 没有méi yǒu méi yǒu wèi wèi COVIDSafeCOVIDSafe COVIDSafe 建立jiàn lì jiàn lì 正式zhèng shì zhèng shì de de 漏洞lòu dòng lòu dòng 赏金shǎng jīn shǎng jīn 计划jì huà jì huà
This represents a significant departure from best practices.
 根据gēn jù gēn jù 权威quán wēi quán wēi 来源lái yuán lái yuán 引用yǐn yòng yǐn yòng de de 网络安全wǎng luò ān quán wǎng luò ān quán 专家zhuān jiā zhuān jiā de de 说法shuō fǎ shuō fǎ "" " 最佳zuì jiā zuì jiā 实践shí jiàn shí jiàn 应该yīng gāi yīng gāi shì shì 正式zhèng shì zhèng shì de de 披露pī lù pī lù 计划jì huà jì huà 漏洞lòu dòng lòu dòng 赏金shǎng jīn shǎng jīn 计划jì huà jì huà 以及yǐ jí yǐ jí 修复xiū fù xiū fù 漏洞lòu dòng lòu dòng de de 承诺chéng nuò chéng nuò "" " [[ [ 11 1 ]] ]
For comparison, the UK government's approach to its NHS COVID-19 app included more structured vulnerability disclosure processes [1]. **Delayed Source Code Publication:** While Australia eventually released source code (app code was published on April 28, 2020), there were significant delays and transparency issues [1].
 zhè zhè 代表dài biǎo dài biǎo le le 最佳zuì jiā zuì jiā 实践shí jiàn shí jiàn de de 显著xiǎn zhù xiǎn zhù 偏离piān lí piān lí
Cryptographer Dr.
 相比之下xiāng bǐ zhī xià xiāng bǐ zhī xià 英国政府yīng guó zhèng fǔ yīng guó zhèng fǔ duì duì NHSNHS NHS COVIDCOVID COVID -- - 1919 19 应用程序yìng yòng chéng xù yìng yòng chéng xù de de 方法fāng fǎ fāng fǎ 包括bāo kuò bāo kuò gèng gèng yǒu yǒu 结构jié gòu jié gòu de de 漏洞lòu dòng lòu dòng 披露pī lù pī lù 流程liú chéng liú chéng [[ [ 11 1 ]] ]
Vanessa Teague noted that "Singapore released app and server code weeks ago" while "Aus & the UK released app code, and no server code, within the last 24 hours" [1].
 ** * ** * 源代码yuán dài mǎ yuán dài mǎ 发布fā bù fā bù 延迟yán chí yán chí ** * ** * 虽然suī rán suī rán 澳大利亚ào dà lì yà ào dà lì yà 最终zuì zhōng zuì zhōng 发布fā bù fā bù le le 源代码yuán dài mǎ yuán dài mǎ 应用yìng yòng yìng yòng 程序代码chéng xù dài mǎ chéng xù dài mǎ 20202020 2020 nián nián 44 4 yuè yuè 2828 28 发布fā bù fā bù dàn dàn 存在cún zài cún zài 重大zhòng dà zhòng dà 延迟yán chí yán chí 透明度tòu míng dù tòu míng dù 问题wèn tí wèn tí [[ [ 11 1 ]] ]
Critically, Australia only released application code—not the server code where "the server does all the crypto" [1].
 密码mì mǎ mì mǎ 学家xué jiā xué jiā VanessaVanessa Vanessa TeagueTeague Teague 博士bó shì bó shì 指出zhǐ chū zhǐ chū "" " 新加坡xīn jiā pō xīn jiā pō zài zài 几周jǐ zhōu jǐ zhōu qián qián jiù jiù 发布fā bù fā bù le le 应用程序yìng yòng chéng xù yìng yòng chéng xù 服务器fú wù qì fú wù qì 代码dài mǎ dài mǎ "" " ér ér "" " 澳大利亚ào dà lì yà ào dà lì yà 声称shēng chēng shēng chēng 英国yīng guó yīng guó zài zài 2424 24 小时xiǎo shí xiǎo shí nèi nèi 发布fā bù fā bù le le 应用yìng yòng yìng yòng 程序代码chéng xù dài mǎ chéng xù dài mǎ dàn dàn 没有méi yǒu méi yǒu 服务器fú wù qì fú wù qì 代码dài mǎ dài mǎ "" " [[ [ 11 1 ]] ]
The government also failed to publish whitepapers explaining the cryptographic design and security assumptions, unlike Singapore and the UK [1]. **Multiple Vulnerabilities Discovered Over Time:** Researchers identified at least four major vulnerabilities in COVIDSafe that were discovered at different times throughout 2020 [2]: - A bug in how COVIDSafe reads Bluetooth messages on iPhones, causing some encrypted messages to be garbled [2] - CVE-2020-14292: A vulnerability allowing long-term tracking of Android devices [2] - CVE-2020-12856: A flaw affecting Android versions 1.0.17 and earlier, allowing attackers to bond silently with Android phones [2] - A critical concurrency flaw in encryption code (versions 1.0.18 to 1.0.27) where a single Cipher instance was shared across threads without synchronization [2] These were not all discovered simultaneously, but rather identified as researchers examined the code over weeks and months [2]. **Lack of Engagement with Research Community:** The government did not adequately engage with researchers raising concerns.
 关键guān jiàn guān jiàn de de shì shì 澳大利亚ào dà lì yà ào dà lì yà zhǐ zhǐ 发布fā bù fā bù le le 应用yìng yòng yìng yòng 程序代码chéng xù dài mǎ chéng xù dài mǎ ér ér 不是bú shì bú shì "" " 服务器fú wù qì fú wù qì 执行zhí xíng zhí xíng 所有suǒ yǒu suǒ yǒu 加密jiā mì jiā mì 操作cāo zuò cāo zuò "" " de de 服务器fú wù qì fú wù qì 代码dài mǎ dài mǎ [[ [ 11 1 ]] ]
Dr.
 政府zhèng fǔ zhèng fǔ 未能wèi néng wèi néng 发布fā bù fā bù 解释jiě shì jiě shì 加密jiā mì jiā mì 设计shè jì shè jì 安全ān quán ān quán 假设jiǎ shè jiǎ shè de de 白皮书bái pí shū bái pí shū 新加坡xīn jiā pō xīn jiā pō 英国yīng guó yīng guó 不同bù tóng bù tóng [[ [ 11 1 ]] ]
Vanessa Teague and colleagues reported problems with the application, but communication was difficult [1].
 ** * ** * suí suí 时间shí jiān shí jiān 发现fā xiàn fā xiàn de de 多个duō gè duō gè 漏洞lòu dòng lòu dòng ** * ** * 研究yán jiū yán jiū 人员rén yuán rén yuán 发现fā xiàn fā xiàn le le COVIDSafeCOVIDSafe COVIDSafe zhōng zhōng 至少zhì shǎo zhì shǎo 四个sì gè sì gè 主要zhǔ yào zhǔ yào 漏洞lòu dòng lòu dòng 这些zhè xiē zhè xiē 漏洞lòu dòng lòu dòng zài zài 20202020 2020 nián nián de de 不同bù tóng bù tóng 时间shí jiān shí jiān bèi bèi 发现fā xiàn fā xiàn [[ [ 22 2 ]] ]
The Australian Digital Transformation Agency only published an email address where researchers "could provide feedback" rather than establishing a formal, responsive vulnerability disclosure program [1].
 -- - 一个yí gè yí gè 关于guān yú guān yú COVIDSafeCOVIDSafe COVIDSafe zài zài iPhoneiPhone iPhone shàng shàng 读取dú qǔ dú qǔ 蓝牙lán yá lán yá 消息xiāo xī xiāo xī 方式fāng shì fāng shì de de 错误cuò wù cuò wù 导致dǎo zhì dǎo zhì 一些yī xiē yī xiē 加密jiā mì jiā mì 消息xiāo xī xiāo xī bèi bèi 损坏sǔn huài sǔn huài [[ [ 22 2 ]] ]
-- - CVECVE CVE -- - 20202020 2020 -- - 1429214292 14292 允许yǔn xǔ yǔn xǔ 长期cháng qī cháng qī 跟踪gēn zōng gēn zōng AndroidAndroid Android 设备shè bèi shè bèi de de 漏洞lòu dòng lòu dòng [[ [ 22 2 ]] ]
-- - CVECVE CVE -- - 20202020 2020 -- - 1285612856 12856 影响yǐng xiǎng yǐng xiǎng AndroidAndroid Android 1.01.0 1.0 .. . 1717 17 gèng gèng zǎo zǎo 版本bǎn běn bǎn běn de de 漏洞lòu dòng lòu dòng 允许yǔn xǔ yǔn xǔ 攻击者gōng jī zhě gōng jī zhě AndroidAndroid Android 手机shǒu jī shǒu jī 静默jìng mò jìng mò 配对pèi duì pèi duì [[ [ 22 2 ]] ]
-- - 加密jiā mì jiā mì 代码dài mǎ dài mǎ zhōng zhōng de de 关键guān jiàn guān jiàn 并发bìng fā bìng fā 缺陷quē xiàn quē xiàn 1.01.0 1.0 .. . 1818 18 zhì zhì 1.01.0 1.0 .. . 2727 27 版本bǎn běn bǎn běn 其中qí zhōng qí zhōng 一个yí gè yí gè CipherCipher Cipher 实例shí lì shí lì bèi bèi kuà kuà 线程xiàn chéng xiàn chéng 共享gòng xiǎng gòng xiǎng ér ér 没有méi yǒu méi yǒu 同步tóng bù tóng bù [[ [ 22 2 ]] ]
这些zhè xiē zhè xiē 漏洞lòu dòng lòu dòng 并非bìng fēi bìng fēi 同时tóng shí tóng shí bèi bèi 发现fā xiàn fā xiàn 而是ér shì ér shì 研究yán jiū yán jiū 人员rén yuán rén yuán zài zài 数周shù zhōu shù zhōu 数月shù yuè shù yuè nèi nèi 检查jiǎn chá jiǎn chá 代码dài mǎ dài mǎ shí shí 识别shí bié shí bié de de [[ [ 22 2 ]] ]
** * ** * 缺乏quē fá quē fá 研究yán jiū yán jiū 社区shè qū shè qū de de 互动hù dòng hù dòng ** * ** * 政府zhèng fǔ zhèng fǔ 没有méi yǒu méi yǒu 充分chōng fèn chōng fèn 提出tí chū tí chū 担忧dān yōu dān yōu de de 研究yán jiū yán jiū 人员rén yuán rén yuán 互动hù dòng hù dòng
VanessaVanessa Vanessa TeagueTeague Teague 博士bó shì bó shì 及其jí qí jí qí 同事tóng shì tóng shì 报告bào gào bào gào le le 应用程序yìng yòng chéng xù yìng yòng chéng xù de de 问题wèn tí wèn tí dàn dàn 沟通gōu tōng gōu tōng 困难kùn nán kùn nán [[ [ 11 1 ]] ]
澳大利亚ào dà lì yà ào dà lì yà 数字shù zì shù zì 转型zhuǎn xíng zhuǎn xíng 局仅jú jǐn jú jǐn 发布fā bù fā bù le le 一个yí gè yí gè 电子邮件diàn zi yóu jiàn diàn zi yóu jiàn 地址dì zhǐ dì zhǐ 研究yán jiū yán jiū 人员rén yuán rén yuán 可以kě yǐ kě yǐ "" " 提供tí gōng tí gōng 反馈fǎn kuì fǎn kuì "" " ér ér 不是bú shì bú shì 建立jiàn lì jiàn lì 一个yí gè yí gè 正式zhèng shì zhèng shì de de 响应xiǎng yìng xiǎng yìng 迅速xùn sù xùn sù de de 漏洞lòu dòng lòu dòng 披露pī lù pī lù 计划jì huà jì huà [[ [ 11 1 ]] ]

缺失背景

然而rán ér rán ér gāi gāi 主张zhǔ zhāng zhǔ zhāng 需要xū yào xū yào 影响yǐng xiǎng yǐng xiǎng 解释jiě shì jiě shì de de 重要zhòng yào zhòng yào 背景bèi jǐng bèi jǐng
However, the claim requires significant context that affects interpretation: **Rushed Timeline and Pandemic Response:** The COVIDSafe app was developed in response to an urgent pandemic crisis and was released quickly [3].
 ** * ** * 仓促cāng cù cāng cù de de 时间表shí jiān biǎo shí jiān biǎo 疫情yì qíng yì qíng 响应xiǎng yìng xiǎng yìng ** * ** * COVIDSafeCOVIDSafe COVIDSafe 应用程序yìng yòng chéng xù yìng yòng chéng xù shì shì 为了wèi le wèi le 应对yìng duì yìng duì 紧急jǐn jí jǐn jí 疫情yì qíng yì qíng 危机wēi jī wēi jī ér ér 开发kāi fā kāi fā de de bìng bìng 迅速xùn sù xùn sù 发布fā bù fā bù [[ [ 33 3 ]] ]
The government was developing technology at an unprecedented pace during a public health emergency.
 政府zhèng fǔ zhèng fǔ zài zài 公共卫生gōng gòng wèi shēng gōng gòng wèi shēng 紧急情况jǐn jí qíng kuàng jǐn jí qíng kuàng 下以xià yǐ xià yǐ 前所未有qián suǒ wèi yǒu qián suǒ wèi yǒu de de 速度sù dù sù dù 开发技术kāi fā jì shù kāi fā jì shù
While this explains the urgency, it does not excuse the failure to implement industry-standard security practices—in fact, it makes them more important, not less [3]. **Government Accountability vs.
 虽然suī rán suī rán zhè zhè 解释jiě shì jiě shì le le 紧迫性jǐn pò xìng jǐn pò xìng dàn dàn 不能bù néng bù néng 作为zuò wéi zuò wéi 实施shí shī shí shī 行业标准háng yè biāo zhǔn háng yè biāo zhǔn 安全ān quán ān quán 实践shí jiàn shí jiàn de de 借口jiè kǒu jiè kǒu 事实上shì shí shàng shì shí shàng 这使zhè shǐ zhè shǐ 更加gèng jiā gèng jiā 重要zhòng yào zhòng yào ér ér fēi fēi 减少jiǎn shǎo jiǎn shǎo [[ [ 33 3 ]] ]
Comparative Analysis:** The government did eventually respond to some issues.
 ** * ** * 政府zhèng fǔ zhèng fǔ 问责wèn zé wèn zé 比较bǐ jiào bǐ jiào 分析fēn xī fēn xī ** * ** * 政府zhèng fǔ zhèng fǔ 最终zuì zhōng zuì zhōng duì duì 一些yī xiē yī xiē 问题wèn tí wèn tí 做出zuò chū zuò chū le le 回应huí yìng huí yìng
After the research community identified vulnerabilities, the DTA and Australian Signals Directorate did patch the encryption concurrency flaw, which researchers thanked them for addressing [2].
 zài zài 研究yán jiū yán jiū 社区shè qū shè qū 识别shí bié shí bié 漏洞lòu dòng lòu dòng hòu hòu DTADTA DTA 澳大利亚ào dà lì yà ào dà lì yà 信号xìn hào xìn hào 确实què shí què shí 修补xiū bǔ xiū bǔ le le 加密jiā mì jiā mì 并发bìng fā bìng fā 缺陷quē xiàn quē xiàn 研究yán jiū yán jiū 人员rén yuán rén yuán 感谢gǎn xiè gǎn xiè 他们tā men tā men 解决jiě jué jiě jué le le 这个zhè ge zhè ge 问题wèn tí wèn tí [[ [ 22 2 ]] ]
However, the government's initial failure to establish proactive vulnerability disclosure mechanisms meant fixes came reactively rather than systematically. **Comparison to International Standards:** Singapore's contact tracing app (TraceTogether), which Australia modeled COVIDSafe after, demonstrated that faster vulnerability disclosure and more transparent security practices were feasible even in a pandemic context.
 然而rán ér rán ér 政府zhèng fǔ zhèng fǔ 最初zuì chū zuì chū 未能wèi néng wèi néng 建立jiàn lì jiàn lì 主动zhǔ dòng zhǔ dòng de de 漏洞lòu dòng lòu dòng 披露pī lù pī lù 机制jī zhì jī zhì 意味着yì wèi zhe yì wèi zhe 修复xiū fù xiū fù shì shì 反应fǎn yìng fǎn yìng xìng xìng de de ér ér fēi fēi 系统性xì tǒng xìng xì tǒng xìng de de
Similarly, the UK's approach, while not perfect, was significantly more transparent with whitepaper documentation and faster engagement with researchers [1]. **Scale of Impact:** While COVIDSafe's security issues were real, the app ultimately failed to deliver epidemiological value.
 ** * ** * 国际标准guó jì biāo zhǔn guó jì biāo zhǔn de de 比较bǐ jiào bǐ jiào ** * ** * 新加坡xīn jiā pō xīn jiā pō de de 接触jiē chù jiē chù 追踪zhuī zōng zhuī zōng 应用程序yìng yòng chéng xù yìng yòng chéng xù TraceTogetherTraceTogether TraceTogether shì shì 澳大利亚ào dà lì yà ào dà lì yà COVIDSafeCOVIDSafe COVIDSafe de de 模型mó xíng mó xíng 证明zhèng míng zhèng míng le le 即使jí shǐ jí shǐ zài zài 疫情yì qíng yì qíng 背景bèi jǐng bèi jǐng xià xià 更快gèng kuài gèng kuài de de 漏洞lòu dòng lòu dòng 披露pī lù pī lù gèng gèng 透明tòu míng tòu míng de de 安全ān quán ān quán 实践shí jiàn shí jiàn shì shì 可行kě xíng kě xíng de de
A confidential government report by independent consultants found that "the utilisation of COVIDSafe...resulted in high transaction costs for state contact tracing teams and produced few benefits" [3].
 同样tóng yàng tóng yàng 英国yīng guó yīng guó de de 方法fāng fǎ fāng fǎ 虽然suī rán suī rán 完美wán měi wán měi dàn dàn zài zài 白皮书bái pí shū bái pí shū 文档wén dàng wén dàng 研究yán jiū yán jiū 人员rén yuán rén yuán gèng gèng kuài kuài 互动hù dòng hù dòng 方面fāng miàn fāng miàn 明显míng xiǎn míng xiǎn 更加gèng jiā gèng jiā 透明tòu míng tòu míng [[ [ 11 1 ]] ]
By the time the app was decommissioned, it had discovered only two positive cases and 17 close-contacts during its entire period of activity [3].
 ** * ** * 影响yǐng xiǎng yǐng xiǎng 规模guī mó guī mó ** * ** * 虽然suī rán suī rán COVIDSafeCOVIDSafe COVIDSafe de de 安全ān quán ān quán 问题wèn tí wèn tí shì shì 真实zhēn shí zhēn shí 存在cún zài cún zài de de dàn dàn gāi gāi 应用程序yìng yòng chéng xù yìng yòng chéng xù 最终zuì zhōng zuì zhōng 未能wèi néng wèi néng 提供tí gōng tí gōng 流行病学liú xíng bìng xué liú xíng bìng xué 价值jià zhí jià zhí
The security vulnerabilities, therefore, occurred in an application that was already fundamentally ineffective for its stated purpose.
 独立dú lì dú lì 顾问gù wèn gù wèn de de 一份yī fèn yī fèn 机密jī mì jī mì 政府zhèng fǔ zhèng fǔ 报告bào gào bào gào 发现fā xiàn fā xiàn "" " COVIDSafeCOVIDSafe COVIDSafe de de 利用lì yòng lì yòng 为州wèi zhōu wèi zhōu 接触jiē chù jiē chù 追踪zhuī zōng zhuī zōng 团队tuán duì tuán duì 带来dài lái dài lái le le gāo gāo 交易成本jiāo yì chéng běn jiāo yì chéng běn 产生chǎn shēng chǎn shēng de de 收益shōu yì shōu yì 很少hěn shǎo hěn shǎo "" " [[ [ 33 3 ]] ]
dào dào 应用程序yìng yòng chéng xù yìng yòng chéng xù 退役tuì yì tuì yì shí shí zài zài 整个zhěng gè zhěng gè 活动huó dòng huó dòng 期间qī jiān qī jiān jǐn jǐn 发现fā xiàn fā xiàn le le 两例liǎng lì liǎng lì 阳性yáng xìng yáng xìng 病例bìng lì bìng lì 1717 17 míng míng 密切接触mì qiè jiē chù mì qiè jiē chù zhě zhě [[ [ 33 3 ]] ]
因此yīn cǐ yīn cǐ 安全漏洞ān quán lòu dòng ān quán lòu dòng 发生fā shēng fā shēng zài zài duì duì 既定jì dìng jì dìng 目的mù dì mù dì 而言ér yán ér yán 已经yǐ jīng yǐ jīng 根本gēn běn gēn běn 无效wú xiào wú xiào de de 应用程序yìng yòng chéng xù yìng yòng chéng xù zhōng zhōng

来源可信度评估

提供tí gōng tí gōng de de 原始yuán shǐ yuán shǐ 来源lái yuán lái yuán shì shì 可信kě xìn kě xìn qiě qiě 文档wén dàng wén dàng 齐全qí quán qí quán de de
The original sources provided are credible and well-documented: **ZDNET Article [1]:** ZDNET is a mainstream technology publication owned by Ziff Davis Media and is widely recognized as a credible source for technology reporting.
 ** * ** * ZDNETZDNET ZDNET 文章wén zhāng wén zhāng [[ [ 11 1 ]] ] ** * ** * ZDNETZDNET ZDNET shì shì ZiffZiff Ziff DavisDavis Davis MediaMedia Media 旗下qí xià qí xià de de 主流zhǔ liú zhǔ liú 技术jì shù jì shù 出版物chū bǎn wù chū bǎn wù bèi bèi 广泛guǎng fàn guǎng fàn 认可rèn kě rèn kě wèi wèi 可信kě xìn kě xìn de de 技术jì shù jì shù 报道bào dào bào dào 来源lái yuán lái yuán
The article by Stilgherrian, a noted technology journalist, is based on direct reporting from Jim Mussared (a security researcher) and Dr.
 StilgherrianStilgherrian Stilgherrian 撰写zhuàn xiě zhuàn xiě de de 文章wén zhāng wén zhāng 基于jī yú jī yú duì duì 安全ān quán ān quán 研究员yán jiū yuán yán jiū yuán JimJim Jim MussaredMussared Mussared shòu shòu rén rén 尊敬zūn jìng zūn jìng de de 密码mì mǎ mì mǎ 学家xué jiā xué jiā VanessaVanessa Vanessa TeagueTeague Teague 博士bó shì bó shì de de 直接zhí jiē zhí jiē 报道bào dào bào dào
Vanessa Teague (a respected cryptographer).
 gāi gāi 文章wén zhāng wén zhāng 基于jī yú jī yú 事实shì shí shì shí bìng bìng yǒu yǒu 文档wén dàng wén dàng 支持zhī chí zhī chí [[ [ 11 1 ]] ]
The article is fact-based and documented [1]. **ITNews Article [2]:** ITNews.com.au is an Australian technology news publication with a solid reputation for accurate reporting.
 ** * ** * ITNewsITNews ITNews 文章wén zhāng wén zhāng [[ [ 22 2 ]] ] ** * ** * ITNewsITNews ITNews .. . comcom com .. . auau au shì shì 一家yī jiā yī jiā 澳大利亚ào dà lì yà ào dà lì yà 科技kē jì kē jì 新闻xīn wén xīn wén 出版物chū bǎn wù chū bǎn wù 准确zhǔn què zhǔn què 报道bào dào bào dào ér ér 享有盛誉xiǎng yǒu shèng yù xiǎng yǒu shèng yù
The article documents vulnerabilities identified by multiple respected researchers (Chris Culnane, Ben Frengley, Eleanor McMurtry, Jim Mussared, Yaakov Smith, Vanessa Teague, and Alwen Tiu) and is based on their detailed GitHub documentation [2]. **GitHub Documentation [3]:** The GitHub repository maintained by Vanessa Teague and others contains technical analysis and timeline documentation.
 gāi gāi 文章wén zhāng wén zhāng 记录jì lù jì lù le le 多位duō wèi duō wèi 受人shòu rén shòu rén 尊敬zūn jìng zūn jìng de de 研究yán jiū yán jiū 人员rén yuán rén yuán ChrisChris Chris CulnaneCulnane Culnane BenBen Ben FrengleyFrengley Frengley EleanorEleanor Eleanor McMurtryMcMurtry McMurtry JimJim Jim MussaredMussared Mussared YaakovYaakov Yaakov SmithSmith Smith VanessaVanessa Vanessa TeagueTeague Teague AlwenAlwen Alwen TiuTiu Tiu 识别shí bié shí bié de de 漏洞lòu dòng lòu dòng bìng bìng 基于jī yú jī yú 他们tā men tā men 详细xiáng xì xiáng xì de de GitHubGitHub GitHub 文档wén dàng wén dàng [[ [ 22 2 ]] ]
This is a primary source authored by security researchers themselves and is highly credible for understanding what was discovered and when [3].
 ** * ** * GitHubGitHub GitHub 文档wén dàng wén dàng [[ [ 33 3 ]] ] ** * ** * VanessaVanessa Vanessa TeagueTeague Teague 其他人qí tā rén qí tā rén 维护wéi hù wéi hù de de GitHubGitHub GitHub 仓库cāng kù cāng kù 包含bāo hán bāo hán 技术jì shù jì shù 分析fēn xī fēn xī 时间shí jiān shí jiān 线xiàn xiàn 文档wén dàng wén dàng
These sources are not partisan advocacy; they are factual reporting by respected technology journalists and cryptography experts documenting security issues in a government application.
 zhè zhè shì shì yóu yóu 安全ān quán ān quán 研究yán jiū yán jiū 人员rén yuán rén yuán 自己zì jǐ zì jǐ 撰写zhuàn xiě zhuàn xiě de de 原始yuán shǐ yuán shǐ 来源lái yuán lái yuán 对于duì yú duì yú 理解lǐ jiě lǐ jiě 发现fā xiàn fā xiàn de de 内容nèi róng nèi róng 时间shí jiān shí jiān 具有jù yǒu jù yǒu hěn hěn gāo gāo de de 可信度kě xìn dù kě xìn dù [[ [ 33 3 ]] ]
这些zhè xiē zhè xiē 来源lái yuán lái yuán 不是bú shì bú shì 党派dǎng pài dǎng pài 宣传xuān chuán xuān chuán 而是ér shì ér shì 受人shòu rén shòu rén 尊敬zūn jìng zūn jìng de de 技术jì shù jì shù 记者jì zhě jì zhě 密码学mì mǎ xué mì mǎ xué 专家zhuān jiā zhuān jiā 记录jì lù jì lù 政府zhèng fǔ zhèng fǔ 应用程序yìng yòng chéng xù yìng yòng chéng xù zhōng zhōng 安全ān quán ān quán 问题wèn tí wèn tí de de 事实shì shí shì shí 报道bào dào bào dào
⚖️

工党对比

** * ** * LaborLabor Labor zài zài 科技kē jì kē jì 安全ān quán ān quán 实践shí jiàn shí jiàn 方面fāng miàn fāng miàn 是否shì fǒu shì fǒu 做过zuò guò zuò guò 类似lèi sì lèi sì de de 事情shì qíng shì qíng
**Did Labor do something similar with technology security practices?** This question is somewhat difficult to assess directly because Labor was not in power during the COVID-19 pandemic (the Coalition governed 2013-2022, while Labor won the 2022 election).
 ** * ** *
However, some relevant historical context exists: **Prior Labor Government Technology Initiatives:** During Labor's 2007-2013 period in government, it pursued various technology initiatives with mixed results, including the National Broadband Network (NBN).
 这个zhè ge zhè ge 问题wèn tí wèn tí 直接zhí jiē zhí jiē 评估píng gū píng gū 有些yǒu xiē yǒu xiē 困难kùn nán kùn nán 因为yīn wèi yīn wèi LaborLabor Labor zài zài COVIDCOVID COVID -- - 1919 19 流行liú xíng liú xíng 期间qī jiān qī jiān 没有méi yǒu méi yǒu 执政zhí zhèng zhí zhèng CoalitionCoalition Coalition zài zài 20132013 2013 -- - 20222022 2022 nián nián 执政zhí zhèng zhí zhèng ér ér LaborLabor Labor zài zài 20222022 2022 nián nián 大选dà xuǎn dà xuǎn zhōng zhōng 获胜huò shèng huò shèng
The NBN project faced criticism for cost overruns and implementation challenges, but these were more related to project management and infrastructure deployment rather than security practices in specific applications [4]. **Proposed Opposition Cyber Security Policies:** During the pandemic, Labor's Shadow Assistant Cyber Security Minister Tim Watts pointed to the UK's model of a "central vulnerability disclosure platform" operated by HackerOne as a better approach [1].
 然而rán ér rán ér 存在cún zài cún zài 一些yī xiē yī xiē 相关xiāng guān xiāng guān de de 历史背景lì shǐ bèi jǐng lì shǐ bèi jǐng
Labor was proposing such measures as policy, suggesting the opposition recognized that the Coalition's approach was deficient [1].
 ** * ** * qián qián LaborLabor Labor 政府zhèng fǔ zhèng fǔ 科技kē jì kē jì 倡议chàng yì chàng yì ** * ** * zài zài LaborLabor Labor 20072007 2007 -- - 20132013 2013 nián nián 执政zhí zhèng zhí zhèng 期间qī jiān qī jiān 推行tuī xíng tuī xíng le le 各种gè zhǒng gè zhǒng 科技kē jì kē jì 倡议chàng yì chàng yì 结果jié guǒ jié guǒ 包括bāo kuò bāo kuò 国家guó jiā guó jiā 宽带kuān dài kuān dài 网络wǎng luò wǎng luò NBNNBN NBN
This implies Labor would likely have implemented better practices, but this is a proposed alternative rather than a demonstrated track record. **Government-Wide Security Culture:** There is no evidence that Labor under Albanese government (2022-present) has implemented fundamentally different security practices for critical applications.
 NBNNBN NBN 项目xiàng mù xiàng mù yīn yīn 成本chéng běn chéng běn 超支chāo zhī chāo zhī 实施shí shī shí shī 挑战tiǎo zhàn tiǎo zhàn ér ér 受到shòu dào shòu dào 批评pī píng pī píng dàn dàn 这些zhè xiē zhè xiē gèng gèng duō duō 项目管理xiàng mù guǎn lǐ xiàng mù guǎn lǐ 基础设施jī chǔ shè shī jī chǔ shè shī 部署bù shǔ bù shǔ 有关yǒu guān yǒu guān ér ér 不是bú shì bú shì 特定tè dìng tè dìng 应用程序yìng yòng chéng xù yìng yòng chéng xù de de 安全ān quán ān quán 实践shí jiàn shí jiàn [[ [ 44 4 ]] ]
The issue appears to be more systemic across Australian government rather than partisan.
 ** * ** * 拟议nǐ yì nǐ yì de de 反对党fǎn duì dǎng fǎn duì dǎng 网络安全wǎng luò ān quán wǎng luò ān quán 政策zhèng cè zhèng cè ** * ** * zài zài 流行liú xíng liú xíng 期间qī jiān qī jiān LaborLabor Labor 影子yǐng zi yǐng zi 助理zhù lǐ zhù lǐ 网络安全wǎng luò ān quán wǎng luò ān quán 部长bù zhǎng bù zhǎng TimTim Tim WattsWatts Watts 指出zhǐ chū zhǐ chū 英国yīng guó yīng guó yóu yóu HackerOneHackerOne HackerOne 运营yùn yíng yùn yíng de de "" " 中央zhōng yāng zhōng yāng 漏洞lòu dòng lòu dòng 披露pī lù pī lù 平台píng tái píng tái "" " 模式mó shì mó shì shì shì 更好gèng hǎo gèng hǎo de de 方法fāng fǎ fāng fǎ [[ [ 11 1 ]] ]
LaborLabor Labor 提议tí yì tí yì jiāng jiāng 这些zhè xiē zhè xiē 措施cuò shī cuò shī 作为zuò wéi zuò wéi 政策zhèng cè zhèng cè 表明biǎo míng biǎo míng 反对党fǎn duì dǎng fǎn duì dǎng 认识rèn shí rèn shí dào dào CoalitionCoalition Coalition de de 做法zuò fǎ zuò fǎ 存在cún zài cún zài 缺陷quē xiàn quē xiàn [[ [ 11 1 ]] ]
zhè zhè 意味着yì wèi zhe yì wèi zhe LaborLabor Labor 可能kě néng kě néng huì huì 实施shí shī shí shī 更好gèng hǎo gèng hǎo de de 实践shí jiàn shí jiàn dàn dàn zhè zhè shì shì 提议tí yì tí yì de de 替代tì dài tì dài 方案fāng àn fāng àn ér ér fēi fēi 经过jīng guò jīng guò 验证yàn zhèng yàn zhèng de de 记录jì lù jì lù
** * ** * 政府zhèng fǔ zhèng fǔ 范围fàn wéi fàn wéi de de 安全ān quán ān quán 文化wén huà wén huà ** * ** * 没有méi yǒu méi yǒu 证据zhèng jù zhèng jù 表明biǎo míng biǎo míng AlbaneseAlbanese Albanese 政府zhèng fǔ zhèng fǔ 领导lǐng dǎo lǐng dǎo xià xià de de LaborLabor Labor 20222022 2022 nián nián 至今zhì jīn zhì jīn duì duì 关键guān jiàn guān jiàn 应用yìng yòng yìng yòng 程序实施chéng xù shí shī chéng xù shí shī le le 根本gēn běn gēn běn 不同bù tóng bù tóng de de 安全ān quán ān quán 实践shí jiàn shí jiàn
这个zhè ge zhè ge 问题wèn tí wèn tí 似乎sì hū sì hū 更具gèng jù gèng jù 系统性xì tǒng xìng xì tǒng xìng 涉及shè jí shè jí 澳大利亚政府ào dà lì yà zhèng fǔ ào dà lì yà zhèng fǔ 整体zhěng tǐ zhěng tǐ ér ér fēi fēi 党派dǎng pài dǎng pài 问题wèn tí wèn tí
🌐

平衡视角

** * ** * 政府zhèng fǔ zhèng fǔ de de 立场lì chǎng lì chǎng ** * ** * DTADTA DTA zài zài 流行liú xíng liú xíng 期间qī jiān qī jiān 面临miàn lín miàn lín 巨大jù dà jù dà de de 时间shí jiān shí jiān 压力yā lì yā lì
**The Government's Position:** The DTA acted under extraordinary time pressure during a pandemic.
 建立jiàn lì jiàn lì 正式zhèng shì zhèng shì de de 漏洞lòu dòng lòu dòng 赏金shǎng jīn shǎng jīn 计划jì huà jì huà 发布fā bù fā bù 全面quán miàn quán miàn de de 安全ān quán ān quán 文档wén dàng wén dàng 通常tōng cháng tōng cháng 需要xū yào xū yào 数周shù zhōu shù zhōu huò huò 数月shù yuè shù yuè de de 过程guò chéng guò chéng
Establishing formal bug bounty programs and publishing comprehensive security documentation requires processes that typically take weeks or months.
 政府zhèng fǔ zhèng fǔ 优先yōu xiān yōu xiān 考虑kǎo lǜ kǎo lǜ 快速kuài sù kuài sù 部署bù shǔ bù shǔ ér ér fēi fēi zài zài 正常zhèng cháng zhèng cháng 情况qíng kuàng qíng kuàng xià xià 理想lǐ xiǎng lǐ xiǎng de de 分层fēn céng fēn céng 安全ān quán ān quán 实践shí jiàn shí jiàn
The government prioritized rapid deployment over the layered security practices that would have been ideal under normal circumstances. **However, This Does Not Excuse the Approach:** International comparison shows that transparent security practices are not incompatible with rapid deployment.
 ** * ** * 然而rán ér rán ér zhè zhè 不能bù néng bù néng 作为zuò wéi zuò wéi 方法fāng fǎ fāng fǎ de de 借口jiè kǒu jiè kǒu ** * ** * 国际guó jì guó jì 比较bǐ jiào bǐ jiào 表明biǎo míng biǎo míng 透明tòu míng tòu míng 安全ān quán ān quán 实践shí jiàn shí jiàn 快速kuài sù kuài sù 部署bù shǔ bù shǔ 并非bìng fēi bìng fēi 不可bù kě bù kě 兼得jiān dé jiān dé
Singapore and the UK both released more comprehensive documentation and established faster communication channels with researchers, even during the same pandemic emergency [1].
 新加坡xīn jiā pō xīn jiā pō 英国yīng guó yīng guó dōu dōu 发布fā bù fā bù le le gèng gèng 全面quán miàn quán miàn de de 文档wén dàng wén dàng bìng bìng 研究yán jiū yán jiū 人员rén yuán rén yuán 建立jiàn lì jiàn lì le le gèng gèng kuài kuài de de 沟通gōu tōng gōu tōng 渠道qú dào qú dào 即使jí shǐ jí shǐ zài zài 相同xiāng tóng xiāng tóng de de 流行liú xíng liú xíng 紧急情况jǐn jí qíng kuàng jǐn jí qíng kuàng xià xià [[ [ 11 1 ]] ]
The "it was urgent" explanation provides context but does not justify abandoning industry-standard security practices entirely. **The Broader Systemic Issue:** The academic analysis of Australia's COVID technology ecosystem suggests this was part of a broader problem: "Australia's choice to advertise and design visual indicators of security—e.g., a 'green tick' for check ins—persistently came at the cost of strong cryptographic protections" [3].
 "" " 时间shí jiān shí jiān 紧迫jǐn pò jǐn pò "" " de de 解释jiě shì jiě shì 提供tí gōng tí gōng le le 背景bèi jǐng bèi jǐng dàn dàn 不能bù néng bù néng 完全wán quán wán quán 证明zhèng míng zhèng míng 放弃fàng qì fàng qì 行业标准háng yè biāo zhǔn háng yè biāo zhǔn 安全ān quán ān quán 实践shí jiàn shí jiàn de de 合理性hé lǐ xìng hé lǐ xìng
This represents not just a matter of timeline pressure but a fundamental philosophical difference in approaching security. **Key Distinction:** Choosing security best practices is not a luxury add-on; it's foundational.
 ** * ** * gèng gèng 广泛guǎng fàn guǎng fàn de de 系统性xì tǒng xìng xì tǒng xìng 问题wèn tí wèn tí ** * ** * duì duì 澳大利亚ào dà lì yà ào dà lì yà COVIDCOVID COVID 技术jì shù jì shù 生态系统shēng tài xì tǒng shēng tài xì tǒng de de 学术xué shù xué shù 分析表明fēn xī biǎo míng fēn xī biǎo míng zhè zhè shì shì gèng gèng 广泛guǎng fàn guǎng fàn 问题wèn tí wèn tí de de 一部分yī bù fèn yī bù fèn "" " 澳大利亚ào dà lì yà ào dà lì yà 选择xuǎn zé xuǎn zé 宣传xuān chuán xuān chuán 设计shè jì shè jì 视觉shì jué shì jué 安全ān quán ān quán 指标zhǐ biāo zhǐ biāo 例如lì rú lì rú 签到qiān dào qiān dào de de '' ' 绿色lǜ sè lǜ sè duì duì gōu gōu '' ' 始终shǐ zhōng shǐ zhōng 牺牲xī shēng xī shēng 强大qiáng dà qiáng dà de de 加密jiā mì jiā mì 保护bǎo hù bǎo hù wèi wèi 代价dài jià dài jià "" " [[ [ 33 3 ]] ]
The government's failure to implement formal vulnerability disclosure, publish complete code, or establish bug bounty programs meant that: - Security issues were discovered by external researchers and reported to unresponsive government agencies - Fixes were implemented reactively rather than proactively - The government didn't benefit from crowdsourced security auditing - Public trust was eroded by poor security practices
 zhè zhè 不仅仅bù jǐn jǐn bù jǐn jǐn shì shì 时间shí jiān shí jiān 压力yā lì yā lì 问题wèn tí wèn tí 而是ér shì ér shì 处理chǔ lǐ chǔ lǐ 安全ān quán ān quán de de 基本jī běn jī běn 哲学zhé xué zhé xué 差异chā yì chā yì
** * ** * 关键guān jiàn guān jiàn 区别qū bié qū bié ** * ** * 选择xuǎn zé xuǎn zé 安全ān quán ān quán 最佳zuì jiā zuì jiā 实践shí jiàn shí jiàn 不是bú shì bú shì 一种yī zhǒng yī zhǒng 奢侈shē chǐ shē chǐ de de 附加fù jiā fù jiā 功能gōng néng gōng néng shì shì 基础性jī chǔ xìng jī chǔ xìng de de
政府zhèng fǔ zhèng fǔ 未能wèi néng wèi néng 实施shí shī shí shī 正式zhèng shì zhèng shì de de 漏洞lòu dòng lòu dòng 披露pī lù pī lù 发布fā bù fā bù 完整wán zhěng wán zhěng 代码dài mǎ dài mǎ huò huò 建立jiàn lì jiàn lì 漏洞lòu dòng lòu dòng 赏金shǎng jīn shǎng jīn 计划jì huà jì huà 意味着yì wèi zhe yì wèi zhe
-- - 安全ān quán ān quán 问题wèn tí wèn tí yóu yóu 外部wài bù wài bù 研究yán jiū yán jiū 人员rén yuán rén yuán 发现fā xiàn fā xiàn bìng bìng 报告bào gào bào gào gěi gěi 反应迟钝fǎn yìng chí dùn fǎn yìng chí dùn de de 政府zhèng fǔ zhèng fǔ 机构jī gòu jī gòu
-- - 修复xiū fù xiū fù shì shì 反应fǎn yìng fǎn yìng xìng xìng de de ér ér fēi fēi 主动性zhǔ dòng xìng zhǔ dòng xìng de de
-- - 政府zhèng fǔ zhèng fǔ 没有méi yǒu méi yǒu 受益shòu yì shòu yì 于众yú zhòng yú zhòng bāo bāo 安全ān quán ān quán 审计shěn jì shěn jì
-- - 公众gōng zhòng gōng zhòng 信任xìn rèn xìn rèn yīn yīn 糟糕zāo gāo zāo gāo de de 安全ān quán ān quán 实践shí jiàn shí jiàn ér ér 受到shòu dào shòu dào 侵蚀qīn shí qīn shí

属实

8.5

/ 10

CoalitionCoalition Coalition 政府zhèng fǔ zhèng fǔ zài zài 部署bù shǔ bù shǔ COVIDSafeCOVIDSafe COVIDSafe 应用程序yìng yòng chéng xù yìng yòng chéng xù shí shí 确实què shí què shí 忽视hū shì hū shì le le 安全ān quán ān quán 最佳zuì jiā zuì jiā 实践shí jiàn shí jiàn
The Coalition government did ignore security best practices when deploying the COVIDSafe app.
 政府zhèng fǔ zhèng fǔ 选择xuǎn zé xuǎn zé 建立jiàn lì jiàn lì 正式zhèng shì zhèng shì de de 漏洞lòu dòng lòu dòng 赏金shǎng jīn shǎng jīn 计划jì huà jì huà [[ [ 11 1 ]] ] 没有méi yǒu méi yǒu 及时jí shí jí shí 发布fā bù fā bù 完整wán zhěng wán zhěng de de 源代码yuán dài mǎ yuán dài mǎ zhǐ zhǐ 发布fā bù fā bù le le 应用yìng yòng yìng yòng 程序代码chéng xù dài mǎ chéng xù dài mǎ 没有méi yǒu méi yǒu 服务器fú wù qì fú wù qì 代码dài mǎ dài mǎ [[ [ 11 1 ]] ] 并且bìng qiě bìng qiě 未能wèi néng wèi néng 建立jiàn lì jiàn lì 响应xiǎng yìng xiǎng yìng 迅速xùn sù xùn sù de de 漏洞lòu dòng lòu dòng 披露pī lù pī lù 流程liú chéng liú chéng [[ [ 11 1 ]] ]
The government chose not to establish a formal bug bounty program [1], did not promptly publish complete source code (only app code, not server code) [1], and failed to establish responsive vulnerability disclosure processes [1].
 这些zhè xiē zhè xiē 漏洞lòu dòng lòu dòng 包括bāo kuò bāo kuò CVECVE CVE -- - 20202020 2020 -- - 1429214292 14292 CVECVE CVE -- - 20202020 2020 -- - 1285612856 12856 蓝牙lán yá lán yá 消息xiāo xī xiāo xī 损坏sǔn huài sǔn huài 加密jiā mì jiā mì 并发bìng fā bìng fā 缺陷quē xiàn quē xiàn shì shì 研究yán jiū yán jiū 人员rén yuán rén yuán suí suí 时间shí jiān shí jiān 发现fā xiàn fā xiàn bìng bìng 报告bào gào bào gào gěi gěi 反应迟钝fǎn yìng chí dùn fǎn yìng chí dùn de de 政府zhèng fǔ zhèng fǔ 机构jī gòu jī gòu de de [[ [ 11 1 ]] ] [[ [ 22 2 ]] ]
These vulnerabilities—including CVE-2020-14292, CVE-2020-12856, Bluetooth message garbling, and encryption concurrency flaws—were discovered by researchers over time and reported to an unresponsive government apparatus [1][2].
 国际guó jì guó jì 比较bǐ jiào bǐ jiào 新加坡xīn jiā pō xīn jiā pō 英国yīng guó yīng guó 表明biǎo míng biǎo míng 这些zhè xiē zhè xiē shì shì 选择xuǎn zé xuǎn zé shàng shàng de de 失败shī bài shī bài ér ér fēi fēi 必然性bì rán xìng bì rán xìng [[ [ 11 1 ]] ] [[ [ 33 3 ]] ]
International comparisons (Singapore, UK) demonstrate these were failures of choice, not necessity [1][3].

📚 来源与引用 (6)

  1. 1
    zdnet.com

    zdnet.com

    Best practice would suggest that making source code available and responding quickly to reported vulnerabilities is a given for government apps, but not yet in Australia.

    ZDNET
  2. 2
    itwire.com

    itwire.com

    A number of researchers have detailed four major vulnerabilities in the Australian Government's COVIDSafe application for the iPhone and Android systems, and advised users to upgrade at once. The main patches issued were to fix: A bug in the way COVIDSafe reads Bluetooth messages on iPhones. Thi...

    Researchers outline flaws in COVIDSafe app, urge users to upgrade
  3. 3
    arxiv.org

    arxiv.org

    Arxiv

  4. 4
    PDF

    report on the operation and effectiveness of covidsafe and the national covidsafe data store 0

    Health Gov • PDF Document
  5. 5
    ncbi.nlm.nih.gov

    ncbi.nlm.nih.gov

    Timely and effective contact tracing is an essential public health measure for curbing the transmission of COVID-19. App-based contact tracing has the potential to optimize the resources of overstretched public health departments. However, its ...

    PubMed Central (PMC)
  6. 6
    pmc.ncbi.nlm.nih.gov

    pmc.ncbi.nlm.nih.gov

    The global and national response to the COVID-19 pandemic has been inadequate due to a collective lack of preparation and a shortage of available tools for responding to a large-scale pandemic. By applying lessons learned to create better ...

    PubMed Central (PMC)

评分方法

1-3: 不实

事实错误或恶意捏造。

4-6: 部分属实

有一定真实性,但缺乏背景或有所偏颇。

7-9: 基本属实

仅有微小的技术性或措辞问题。

10: 准确

完全经过验证且客观公正。

方法论: 评分通过交叉参照政府官方记录、独立事实核查机构和原始文件确定。

Previous: C0194 Next: C0196