Please submit vulnerability reports via our web form or email to csirt@muni.cz with the subject line "Vulnerability Report: [Brief Description]". 

Your report should include:

• Clear description of the vulnerability
• Steps to reproduce (may include screenshots or tools used) 
• Potential impact of the vulnerability
• Time frame during which the testing took place
• Any supporting materials (proof of concept code, etc.)

Subject to necessary verification, if the vulnerability report complies with our policy, please indicate whether you would like to be acknowledged in our Security Hall of Fame.

• Acknowledgment & Evaluation: The report will be assessed, and the team will acknowledge it or request additional information to confirm the vulnerability. All reports are processed within 2 business days. 
  
• Resolution: Verified vulnerabilities will be remediated. We try to fix vulnerabilities within a week’s time, but more complicated reports can take longer. 
• Recognition: If agreed, your contribution will be acknowledged in our Security Hall of Fame. 
  
  We cannot offer any monetary rewards, but we hope the public recognition of your efforts will provide sufficient motivation in making the internet a little bit more secure place.

We request you to:

• Download only the data you need to show the vulnerability
• Refrain from reading, removing or editing third-party data
• Refrain from sharing the issue with others until it has been solved
• Promptly delete any personal data that may have come into your possession
• Refrain from using social engineering, DDoS, spam, or third-party applications

We do not reward trivial vulnerabilities or bugs that have no demonstrable security impact: 

• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces 
• Issues that would require complex end user interactions to be exploited
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Fingerprint version banner disclosure on common/public services
• HTTP 404 codes/pages or other HTTP non-200 codes/pages
• Disclosure of known public files (e.g. robots.txt)
• Clickjacking and issues only exploitable through clickjacking
• Lack of Secure/HTTPOnly flags on non-sensitive Cookies
• HTTP security headers issues (Strict-Transport-Security, X-Frame-Options, etc.)
• SSL/TLS Configuration Issues (weak cipher suites, forward secrecy)
• SPF, DKIM, DMARC issues
• Host header injection
• Reporting out-of-date software versions without working exploit
• Personal information (e.g., name, e-mail, učo, phone number) on public pages designed to share such information

We accept only reports that fall into our constituency, that include: 

• all IPv4 addresses from the range 147.251.0.0/16
• all IPv6 addresses from the range 2001:718:801::/48 
• muni.cz domain and all its subdomains