By 1:19am on April 27, Mussared had discovered multiple privacy issues in the Android version.
"The COVIDSafe app has a number of issues which may allow a malicious person to track any user for an indefinite period of time," he wrote in his detailed report.
"Don't Panic! Users are advised to be aware of these issues but in most cases might reasonably conclude that they are not significant enough to warrant not using the app."
On April 27 and 28, Mussared emailed the Department of Health, the Digital Transformation Agency (DTA) who had made the app, the Australian Signals Directorate (ASD), the Australian Cyber Security Centre (ACSC), and the Cyber Security CRC.
He finally received a response from the DTA a week later on May 5: A single line acknowledging that they'd received his email.
It may be worth noting that this happened shortly after the media started making enquiries.
In your writer's view, this seems a long way short of best practice. Mussared agrees.
"The best practices would be a formal disclosure program and a bug bounty program, and a commitment to getting the bugs fixed," he told ZDNet.
"I've been able to confirm issues with the Singapore team within hours of finding them, and even had some fixed!"
That's not the only difference between Australia and other countries developing such an app. According to cryptographer Dr Vanessa Teague, Australia's approach lacks transparency.
"Aus & the UK released app code, and no server code, within the last 24 hours," she said, which is a problem because in both cases the server does all the crypto.
Both Singapore and the UK released whitepapers explaining their crypto and assumptions. The UK's whitepaper [PDF] is by Dr Ian Levy, technical director of the National Cyber Security Centre (NCSC).
"The UK whitepaper and app code give some opportunity to examine the crypto for bugs. In Aus we don't even know what encryption they're using (if any)," Teague wrote.
"In both cases, there are some things I disagree with, but I respect the authors for putting the details out for review."
Australia, however, has even failed to explain why it is only rotating the encrypted user IDs every two hours instead of Singapore's 15 minutes.
"We need to see the server code, and read some justification of the design decisions, so that we can identify and fix other bugs in #CovidSafeApp and have a genuine public debate about how it should change," Teague wrote.
In DTA's defence, all this was being done in a hurry. It's also the first time a government app has gained more than five million users in just a few days, and under such intense public scrutiny.
Labor's Shadow Assistant Communications Minister and Shadow Assistant Cyber Security Minister, Tim Watts, pointed to the success of the NCSC's central vulnerability disclosure platform as a proposed solution. It covers all UK government entities and is operated by HackerOne.
"[This] is a pretty different philosophical approach to security than we have in Australia at the moment," Watts said during a roundtable hosted by the Australian Strategic Policy Institute International Cyber Policy Centre last week.