- 2020/05/09: Discussion about a S3 bucket starts circulating in the community about an Amazon S3 bucket that files named "CovidSafeUserData". Reported to ASD.Assist@defense.gov.au, email@example.com.
Have left voice mail with our internal contact at the DTA and emailed ASD.Asssist@defense.gov.au. pic.twitter.com/3jbd5MgjOY— geoffrey huntley (@GeoffreyHuntley) May 9, 2020
CFS-8301. pic.twitter.com/j5Jbo5OQ4D— geoffrey huntley (@GeoffreyHuntley) May 9, 2020
- 2020/05/12: firstname.lastname@example.org (the designated security contact address) responded to the matter incorrectly and directed Geoff where he could download the source code of the application.
Double what the f. Reported that a S3 bucket was online with database files named "#covidsafe user data" 👇 finally got a reply after two days? You are not going to believe it.— geoffrey huntley (@GeoffreyHuntley) May 12, 2020
Potential data breach ignored.
Directed to look at source code instead. https://t.co/K1pctcw0jq pic.twitter.com/MijdDra4cu
Recommended Next Steps
- Separate customer support and security reporting channels. Establish a proper bug bounty.