Vulnerability disclosure policy

Munich Re is devoted to protecting its clients from a variety of risks and to building relationships based on trust and confidence. Hence, the privacy of your data and the security of our digital products is our highest priority.

We want to encourage our clients, partners and security researchers, who are driven by the same cause, to report any vulnerability they discover in the company’s digital assets.

Munich Re highly appreciates the efforts that go into security research and reporting, as they help to improve the security and reliability of our services.

This policy describes the types of systems and research covered, how to report vulnerabilities, and submission turnaround timeframes. Please note that this policy is subject to amendment at any time, so please review it regularly to stay up to date.

We ask that you always disclose vulnerabilities in a responsible manner, as described below, even if you voluntarily participate in our vulnerability disclosure programme and do so with good intentions. If you conduct vulnerability research in accordance with this policy, we will not take or support any legal action against you.

If a third party takes legal action against you for your research, even though you have acted in accordance with this policy, we will ensure that compliance with our policy is communicated appropriately. If you have any concerns or doubts as to whether your research complies with this policy, please use the official channel to submit a report before you proceed with the research in question.

Please be aware that this policy does not exempt you from applicable federal, state and local hacking and privacy laws.

By accepting the rules of this policy and participating in the programme with good intentions, you agree to:

• Perform testing only on systems that are covered by the scope of this policy.
• Avoid any system or application interruption.
• Not use or exploit any of the discovered vulnerabilities; establishing persistence, lateral movement, data exfiltration, etc. are prohibited.
• Respect others’ privacy by not abusing it in any way, or exfiltrating or destroying any data that you might access in relation to the vulnerability.
• Report any detected vulnerability in a timely manner using the official channels defined in this policy.
• Not disclose a vulnerability unless this has been fully coordinated with Munich Re.
• Not execute any phishing, spamming, social engineering or denial-of-service attacks. The same applies to breaching the physical security of any property or building that belongs to Munich Re or its subsidiaries.

• We will provide acknowledgement of report submission within 5 business days.
• We will confirm, as far as this is possible, the existence of a vulnerability and provide transparency about our steps and timelines to close it.
• If applicable, Munich Re will coordinate public disclosure of a confirmed vulnerability with you, which ideally should be posted at the same time. 

We ask you to share any vulnerability you discover with us by reporting it to sirt@munichre.com.

Observing the following principles will increase the probability of your report being processed and accepted:

• Provide full details of the affected asset(s).
• Provide a proof of concept with details of reproduction of vulnerabilities, including screen captures of the issue and timestamps.
• Describe the reasons why the suspected vulnerability may impact the service in question, and to what extent.
• Avoid automated tool output. Reports that include only automated tool output are unlikely to be processed.