Report Security Vulnerabilities to Louisville City Staff

In Louisville, Kentucky, city staff and departments handle reports of security vulnerabilities and phishing incidents through the Metro Information Technology office and relevant enforcement units. This guide explains who to contact, what information to collect, immediate containment steps, and how enforcement and appeals are handled under municipal practice. If the issue affects public systems, preserve logs and evidence, avoid probing systems beyond what is necessary to document the issue, and report promptly to official channels to reduce harm and preserve legal protections.

Who to report to

Report technical incidents that affect city systems, employee accounts, or citizen services to Louisville Metro Information Technology. For potential crimes or threats to public safety, also notify Louisville Metro Police.

• Contact Louisville Metro Information Technology via the department complaint and contact page louisvilleky.gov/office-city-county-information-technology^[1].
• For criminal threats or targeted attacks, contact Louisville Metro Police through official non-emergency or incident reporting channels.

Initial steps to take

Do not publicly disclose the vulnerability or probe systems beyond what you already observed. Preserve evidence and timestamps, capture affected URLs and headers, isolate affected accounts or devices, and collect screen captures and log extracts for investigators.

• Collect timestamps, affected URLs, logs, and screenshots.
• Limit further testing and do not exploit the issue.
• Prepare a concise report describing steps to reproduce and the impact.

Penalties & Enforcement

Municipal ordinances and departmental policies control city systems, but specific criminal penalties for unauthorized access or cybercrimes are typically set by state or federal law rather than local code. The City enforcer for internal security incidents is Louisville Metro Information Technology; criminal matters are handled by Louisville Metro Police and the Commonwealth of Kentucky authorities. Where the municipal code addresses prohibited access or misuse of city systems it may reference penalties in civil or administrative sections; specific fine amounts or escalation schedules are not specified on the cited municipal pages Municipal Code^[2].

• Fine amounts: not specified on the cited page.
• Escalation for repeat or continuing offences: not specified on the cited page.
• Non-monetary sanctions: administrative orders, account suspension, system access revocation, and referral to law enforcement.
• Enforcer: Louisville Metro Information Technology for city-system incidents; Louisville Metro Police for criminal matters. Contact via the department page IT contact^[1].
• Appeals/review: administrative appeal procedures and time limits are not specified on the cited municipal pages.
• Common violations: unauthorized access to city systems, phishing using city email brands, data exfiltration; penalties vary and are not specified on the cited page.

Applications & Forms

There is no public vulnerability disclosure form published on the departmental pages examined. Reporters are instructed to contact the Information Technology office via the department contact page; a formal online vulnerability disclosure form is not specified on the cited IT page IT contact^[1].

How the city investigates

Investigations are coordinated by Louisville Metro Information Technology and may involve legal, HR, and law enforcement units. The IT team triages impact, preserves evidence, coordinates containment, and advises on notification requirements.

• Containment and mitigation are performed by Metro IT.
• Evidence preservation and forensic review are handled under departmental procedures.
• Referral to Louisville Metro Police or state prosecutors occurs for suspected criminal conduct.

FAQ

How do I report a vulnerability affecting a city website?

Contact Louisville Metro Information Technology with a clear description, evidence, and contact details; use the department contact page for submission and follow-up.

Will I be penalized for reporting a vulnerability?

Good-faith reporting to city staff is encouraged; penalties for unauthorized access depend on conduct and applicable law and are not specified on the cited municipal pages.

What if I suspect a phishing email targeting citizens?

Preserve the email headers, do not click links, and forward the message to Metro IT and to security contacts designated by the department.

How-To

1. Identify and document the issue: collect timestamps, URLs, logs, and screenshots.
2. Isolate affected accounts or systems to limit further exposure.
3. Report the incident to Louisville Metro Information Technology via the official contact page IT contact^[1].
4. Cooperate with investigators and provide requested evidence without performing intrusive testing.
5. If criminal activity is suspected, be prepared to report to Louisville Metro Police as directed by investigators.

Key Takeaways

• Report suspected vulnerabilities promptly to Metro IT.
• Preserve logs and evidence; avoid further probing.
• Enforcement may involve administrative and criminal authorities; specifics are not published on the cited municipal pages.

Help and Support / Resources

• City of Louisville - Office of City-County Information Technology
• Louisville Municipal Code (Municode)
• Louisville Metro Police Department

1. [1] City of Louisville - Office of City-County Information Technology: department contact and services.
2. [2] City of Louisville Municipal Code: consolidated code of ordinances.