San Jose Bug Bounty - Submit Report to City Systems

Technology and Data California 3 Minutes Read ยท published February 06, 2026 Flag of California

San Jose, California operates defined channels for reporting security vulnerabilities found in city systems. This guide explains what to report, how to submit a responsible disclosure or bug bounty report, who enforces city policies, and practical next steps for Technology and Data issues affecting municipal services. It is written for security researchers, contractors, and city staff who discover potential vulnerabilities and need a clear, official-facing process. Information in this article is current as of February 2026.

Report vulnerabilities responsibly to avoid disruption to city services.

What to report and scope

Focus reports on reproducible security vulnerabilities in City of San Jose systems, services, and public-facing applications. Do not exploit vulnerabilities beyond verification and do not access or expose private data. When in doubt, report the issue and note the extent of your testing.

Penalties & Enforcement

The City treats unauthorized intrusion, data exfiltration, or disruptive testing seriously; specific monetary penalties tied to a bug bounty program are not published on city policy pages and thus are not specified on the cited page.

  • Enforcer: Information Technology Department and City Attorney handle enforcement and legal response.
  • Fines: Not specified on the cited page; criminal or civil remedies may apply under state or city law.
  • Escalation: First reports are triaged; repeat or continuing offences may lead to formal legal action or referral to law enforcement. Specific escalation fines or tiers are not specified on the cited page.
  • Non-monetary sanctions: Orders to cease activity, civil injunctions, restoration orders, and referral to prosecution where applicable.
  • Inspection and complaint pathways: Reports should be sent to the City's designated IT security contact or official reporting channel listed under Help and Support / Resources below.
  • Appeals/review: Administrative or legal review routes exist through the City Attorney or courts; specific time limits for appeals are not specified on the cited page.
  • Defences/discretion: Authorized testing under an approved program or written permission from the City is a primary defence; reasonable excuse defenses depend on facts and are subject to enforcement discretion.
If you discover sensitive data, stop testing and preserve evidence for the City's investigators.

Applications & Forms

The City does not publish a standard public form labeled "bug bounty" in the municipal code pages; submitters should use the Information Technology Department contact or the City's official report channels listed in Resources. If an official vulnerability disclosure form is available, it will be posted by the City on its IT or security pages.

How the City typically handles a report

  • Triage: IT reviews and validates the report.
  • Assessment: Impact, severity, and scope are determined.
  • Remediation: Fixes are planned and implemented.
  • Notification: City may notify affected users and regulators per legal requirements.

Common violations and typical outcomes

  • Unauthorized access to private records โ€” may lead to referral for prosecution and civil liability.
  • Denial-of-service testing that disrupts service โ€” may lead to immediate blocking and legal action.
  • Data exfiltration or exposure โ€” strong enforcement and possible criminal charges.

FAQ

Who should I contact to submit a vulnerability report?
Use the Information Technology Department's official reporting channel for San Jose; see Help and Support / Resources below.
Will I be rewarded for reporting a vulnerability?
San Jose's public pages do not publish a standard reward schedule; inclusion in any bounty or reward program depends on the City's posted program terms or a prior written agreement.
Can I test live city systems?
Only perform testing with explicit permission; unauthorized testing may be subject to enforcement.

How-To

  1. Document the issue with clear reproduction steps, affected URLs, timestamps, and any error messages.
  2. Preserve logs and avoid actions that further expose data or disrupt services.
  3. Submit your report to the City's IT security contact with evidence and your recommended mitigation, and request acknowledgement.
  4. Cooperate with City staff for validation and remediation; follow disclosure timelines agreed with the City.
  5. If a reward is offered, follow the City's documented claim process and provide any required attribution or assignment of rights.

Key Takeaways

  • Report vulnerabilities to the City's IT department promptly and responsibly.
  • Do not test without permission; unauthorized testing can lead to enforcement.
  • Use official channels and preserve evidence for triage and remediation.

Help and Support / Resources

    Categories

    General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data