Logo muenchen.de - das offizielle Stadtportal (Zur Startseite)
infos
Logo Landeshauptstadt München

Code of Conduct for Disclosing Vulnerabilities

The following content outlines the framework for externally reporting of vulnerabilities in IT services and how such reports are handled by the City of Munich.

Introduction

The security of its IT systems is very important to the city of Munich. Despite careful development and thorough testing, our IT service always remains vulnerable to some degree.

In this Code of Conduct, we explain our ideas on how to discover and disclose these kinds of vulnerabilities and the expectations we are determined to meet.

Basic Requirements

We encourage you to contact us regarding any (potential) vulnerabilities in our IT systems and web applications.

If you identify vulnerabilities please report them so the can bei dealt with quickly. Also follow the guidelines described here. Provided your intentions are good, we will cooperate with you to resolve the issues as efficiently as possible.

Generally, the City of Munich will not prosecute activities that are performed to identify vulnerabilities as long as they are conducted in accordance with this Code of Conduct.

Guidelines for reports

  • Limit your testing to procedures necessary for the discovery of vulnerabilities.
  • Ensure that your actions do not cause any damage, data loss, or disruption to the City of Munich’s IT systems or services.
  • Do not exploit the vulnerability maliciously, for example by downloading or altering data beyond what is necessary. Minimal data samples or harmless codes as proof of concept do not count as exploitation.
  • Do not publish or share any data downloaded in the process unless authorized by the City of Munich.
  • Do not publicly disclose the vulnerability before its remediation.
  • Immediately stop your testing if you encounter sensitive information (personally identifiable information – PII, medical, financial, protected information, or trade secrets).
  • Provide us with sufficient detail to be able to reproduce and analyze the issue. If possible, also give us contact data for follow-up questions.
  • Usually, the URL address of the affected system and a description of the weakness are sufficient. Complex vulnerabilities may require additional explanations and documentation.
  • Whenever possible, use the reporting form provided below and note the Privacy Policy provided there.
  • Submit your report in English or German.

Please do not

  • … perform any actions which compromise, manipulate or damage IT systems, IT infrastructure, or individuals.
  • … introduce malware such as viruses, trojans, or worms.
  • … exploit systems to gain unauthorized control.
  • … copy, modify, or deleting data.
  • … change systems or configurations.
  • … access the system repeatedly.
  • … share access with third parties.
  • … use any received access to enter other systems.
  • … alter other users’ permissions or accounts.
  • … use automated scanning tools.
  • … conduct brute-force, denial-of-service, or social-engineering attacks.
  • … attempt to bypass physical security controls. 

We offer

  • We will confirm the reception of your report within three business days; besides, we will provide you with information about the validity of the vulnerability as well as the progress of the processing.
  • We will treat your report confidentially and process your personal data in accordance with data privacy.
  • We will try to remediate confirmed vulnerabilities as quickly as possible.
  • We do not operate a bug-bounty program and therefore cannot offer monetary or other rewards.
  • We sincerely appreciate your contribution to providing a secure digital Munich.

Qualified reports of vulnerabilities

Any reproducible design or implementation flaw that impacts security may be reported.

Among others, common examples include:

  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Insecure Direct Object Reference
  • Remote Code Execution (RCE) or other injection vulnerabilities
  • Information Leakage and improper error handling
  • Unauthorized access to accounts or ressources

Unnecessary reports

The following weaknesses are not considered reportable under this Code of Conduct:

  • Attacks that require physical access to devices or networks.
  • Forms without CSRF tokens (unless critical vulnerabilities above CVSS 5.0).
  • Missing security headers that do not lead to exploitable vulnerability.
  • The use of a library known to be vulnerable or publicly known to be broken (without active proof of exploitability).
  • Reports from automated tools or scans without explanatory documentation.
  • Bots, spam, or mass account registrations.
  • Suggestions for best practices (example given, certificate pinning, security header).

Reporting a vulnerability

Please use our reporting form to submit your findings.