Logo muenchen.de - das offizielle Stadtportal (Zur Startseite)
Kontakt und Datenschutz
Logo Landeshauptstadt München

Code of Conduct for Disclosing Vulnerabilities

The following content outlines the framework for externally reporting of vulnerabilities in IT services and how such reports are handled by the City of Munich.

Introduction

The City of Munich places great importance on the security of its IT systems. Despite careful development and thorough testing, vulnerabilities in our IT services can never be completely ruled out. This Code of Conduct explains how we envision the discovery and disclosure of such vulnerabilities, how you can inform us about discovered vulnerabilities, and what behavior you can expect from us.

Basic Requirements

We encourage you to contact us regarding any (potential) vulnerabilities in our IT systems and web applications.

If you act in good faith to identify vulnerabilities in the City of Munich’s IT systems, report them so they can be remediated quickly, and follow the guidelines described here, we will cooperate with you to resolve the issues as efficiently as possible.

In principle, the City of Munich does not intend to take criminal action in connection with good-faith vulnerability research conducted in accordance with this Code of Conduct.

Please follow these guidelines

  • Limit your testing to what is necessary to find the vulnerability.
  • Ensure that your actions do not cause any damage, data loss, or disruption to the City of Munich’s IT systems or services.
  • Do not exploit the vulnerability maliciously, for example, by downloading or altering data beyond what is necessary. Minimal data samples or harmless codes as proof of concept do not count as exploitation.
  • Do not publish any data downloaded during the discovery or share it with third parties, unless authorized by the City of Munich.
  • Do not publicly disclose the vulnerability before it has been remediated.
  • Stop your testing immediately if you encounter sensitive information (personally identifiable information – PII, medical, financial, protected information, or trade secrets).
  • Provide sufficient detail for us to reproduce and analyze the issue. If possible, also provide a contact method for follow-up questions.
  • As a rule, the address or URL of the affected system and a description of the vulnerability are sufficient. Complex vulnerabilities may require additional explanations and documentation.
  • Use our reporting form whenever possible and review the privacy notices provided there.
  • Submit your report in English or German.

Please Avoid the Following Activities

  • Any testing or actions that compromise, manipulate, or damage IT systems, IT infrastructure, or individuals.
  • Introducing malware such as viruses, trojans, or worms.
  • Exploiting systems to gain unauthorized control.
  • Copying, modifying, or deleting data.
  • Making changes to systems or configurations.
  • Repeatedly access the system or share access with third parties.
  • Use any received access to access other systems.
  • Altering other users‘ permissions or accounts.
  • Using automated scanning tools.
  • Conducting brute-force, denial-of-service, or social-engineering attacks.
  • Attempting to bypass physical security controls.

What You Can Expect From Us

  • We will confirm the receipt of your report within three business days and inform you about the validity of the vulnerability as well as the progress of the processing.
  • We treat your report confidentially and process your personal data in compliance with applicable data-protection regulations.
  • We strive to remediate confirmed vulnerabilities as quickly as possible.
  • We do not operate a bug-bounty program and therefore cannot offer monetary or other rewards.
  • We sincerley appreciate your contribution and are working together for a secure digital Munich.

Qualified reports of vulnerabilities

Any reproducible design or implementation flaw that impacts security may be reported. Common examples include:

  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Insecure Direct Object Reference
  • Remote Code Execution (RCE) or other injection vulnerabilities
  • Information Leakage and improper error handling
  • Unauthorized access to accounts or ressources
  • and many more

Non-qualifiying reports

The following types of findings are not considered reportable under this Code of Conduct:

  • Attacks that require physical access to devices or networks.
  • Forms without CSRF tokens (unless critical vulnerabilities above CVSS 5.0).
  • Missing security headers that do not lead to an exploitable vulnerability.
  • The use of a library known to be vulnerable or publicly known to be broken (without active proof of exploitability).
  • Reports from automated tools or scans without explanatory documentation.
  • Bots, spam, or mass account registrations.
  • Suggestions for best practices (example given, certificate pinning, security header).

Reporting a vulnerability

Please use our reporting form to submit your findings.

Ähnliche Artikel

Behördennummer 115

Schneller zur gewünschten Auskunft: Die Mitarbeitenden des Service-Centers der Landeshauptstadt München beantworten am Telefon gerne Ihre Anliegen.

Stadt-Information

In der Stadt-Information im Rathaus erhalten Sie neben Printmedien, Rat und Hilfeleistung verschiedenster Art.

Pressestelle

Ansprechpartner*innen im Presse- und Informationsamt, in den Büros der (Ober-)Bürgermeister/in und in den Pressestellen der Referate