Report IT Security Vulnerabilities - Atlanta Bylaws

Technology and Data Georgia 3 Minutes Read · published February 08, 2026 Flag of Georgia

In Atlanta, Georgia, reporting IT security vulnerabilities to city officials helps protect municipal systems, services and resident data. This guide explains who enforces city IT security, what to include in a report, how to submit a vulnerability or incident disclosure, and what enforcement or remedies the city may pursue. It summarizes official city contacts and practical steps to report a vulnerability to the City of Atlanta Office of Information Technology (OIT) and related offices so your submission reaches the right team promptly.[1]

What to report

Report any security vulnerability that affects city systems, web applications, APIs, databases, or services that process personal or sensitive data. Include reproducible steps, affected URLs or services, timestamps, and safe evidence (logs, sanitized screenshots, sample payloads).

  • Include a concise summary of the vulnerability and impact.
  • Provide step-by-step reproduction instructions and test data where safe.
  • Supply affected endpoints, system names, and any relevant configuration details.
  • Offer contact information for follow-up questions and to coordinate remediation.
Report evidence safely without exposing resident personal data.

How to submit a report

Send vulnerability reports directly to the City of Atlanta Office of Information Technology (OIT) Information Security team using the official contact and reporting channels maintained by OIT. For official reporting instructions and contact options, refer to the city's OIT cybersecurity information and OIT contact pages.[1][2]

  • Use any official web form or secure submission channel listed by OIT if available.
  • If a phone or portal is provided for incidents, follow OIT's escalation steps.

Penalties & Enforcement

The City of Atlanta's primary enforcement for IT security incidents is handled by the Office of Information Technology (OIT) Information Security team, in coordination with legal and public safety units as needed.[1]

  • Enforcer: City of Atlanta, Office of Information Technology - Information Security group, with coordination from City Law and Public Safety.
  • Monetary fines: specific fines for IT security breaches or unauthorized access are not specified on the cited city OIT pages.
  • Escalation: first, remedial and mitigation actions; for criminal conduct, referral to law enforcement. Specific escalation penalties or ranges are not specified on the cited page.
  • Non-monetary sanctions: remediation orders, system access suspension, account terminations, and legal or court action where applicable.
  • Appeals and review: procedural appeals or administrative review routes are not specified on the cited OIT pages; contact OIT or City Law for appeal deadlines and process.
Specific fine amounts and statutory sections are not listed on OIT information pages and must be confirmed with City Law or the municipal code.

Applications & Forms

No standardized public vulnerability-bounty or disclosure form is published on the cited OIT pages; specific submission forms or signed agreements are not specified on the cited pages. Contact OIT for any required form or secure-reporting method.[2]

  • If OIT publishes a secure portal or form, follow that channel for reports.
  • Deadlines or time limits for reporting incidents are not specified on the cited pages; report as soon as possible after discovery.

Action steps

  • Collect reproducible evidence and redact any resident personal data before sharing.
  • Submit the report via OIT's official channel or contact page and request a ticket or reference number.
  • If you observe criminal activity, contact local law enforcement in addition to OIT.
Always request a tracking number or receipt so the city can confirm your disclosure was received.

FAQ

Who is the right office to receive vulnerability reports?
The City of Atlanta Office of Information Technology (OIT) Information Security team is the primary office for IT vulnerability reports; use OIT contact channels for submission.[1]
What information should I include in a vulnerability report?
Include a summary, affected systems or URLs, step-by-step reproduction, timestamps, sanitized evidence, and your contact details.
Will I face penalties for reporting a vulnerability?
Good-faith reporting is intended to aid remediation; specific liability protections or penalties for reporters are not specified on the cited OIT pages—confirm with OIT or City Law before conducting intrusive testing.

How-To

  1. Prepare a clear, reproducible report with sanitized evidence and the systems affected.
  2. Locate OIT's official reporting or contact page and use the secure channel referenced there.[2]
  3. Submit the report and request a ticket number for tracking.
  4. Follow any coordination instructions from OIT and avoid public disclosure until mitigated by the city.
Coordinate with OIT before publishing details to avoid harming city services or residents.

Key Takeaways

  • Report vulnerabilities quickly to OIT to enable timely remediation.
  • Provide reproducible steps and redact sensitive resident data from evidence.
  • Use official OIT channels and request a tracking reference.

Help and Support / Resources

  1. [1] City of Atlanta - Office of Information Technology: Cybersecurity
  2. [2] City of Atlanta - OIT Contact

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data