$ whoami
aka c1phy
White-Hat & Elite-Hacker // HTB-Guru // Head of IT-Security // Freelancer
// 01 intro
I'm Marc-Oliver Munz, a 35-year-old IT security professional based in the Stuttgart region, Germany, currently working as Head of IT Security. Over 19 years I grew through IT, from 1st and 2nd level support to administration and finally leading information security. Today my focus is building resilient security infrastructure and fostering a security culture in organizations.
My expertise covers both sides of security: defensive work around SIEM, XDR, SOC, NGFW and ISO 27001 compliance across the full IT infrastructure, and offensive, ethical hacking. I have led bug bounty programs and regularly take part in renowned live hacking events worldwide, including for Intel and Yahoo.
As an Intigriti Hacker Ambassador for Germany I bring the community together, share knowledge and help newcomers get into bug bounty and security research, and I promote responsible disclosure. My work has been recognized in halls of fame at Apple, the German armed forces (VDPBw), the Federal Office for Information Security (BSI), Heise, Deutsche Telekom and Mercedes-Benz.
// 02 live hacking events
Live hacking events I took part in, from my first to what's coming up next.
Mannheim, Germany
The first Kaeferjaeger live hacking event, where our German collective of around 40 hackers and security experts started its own self-organized LHE series.
Watch aftermovieBonn, Germany
Our second self-organized live hacking event with Kaeferjaeger, a German collective of around 40 hackers and security experts that I am part of.
Watch aftermovie
Leuven, Belgium
My first Intigriti live hacking event, on-site in Leuven, where I finished in the top 5 among experienced researchers. A formative milestone.
Watch aftermovieAntwerp, Belgium
Yahoo's European live hacking event with 40 selected researchers from across Europe and the US, supported by Intigriti, where I secured a top 15 finish.
Watch aftermovie
Copenhagen, Denmark
Live hacking event in Copenhagen hosted by Visma and Intigriti, where my team placed in the top 3. An intensive review of Visma's cloud software products by experienced hackers.
Varna, Bulgaria
A special opportunity to take part in the Intigriti live hacking event held in Varna, Bulgaria, hacking on-site alongside selected European researchers.
Lisbon, Portugal
Selected among 100 elite hackers worldwide to harden the security of a brand-new Intel SaaS product, hosted by Intel and Intigriti.
Watch aftermovieBochum, Germany
The very first HackerOne Club Germany hacking meetup, held in Bochum and targeting the Tools for Humanity program. Open to all skill levels, with a remote component.
Event page
Utrecht, Netherlands
HackerHideout, an invite-only gathering where Europe's top bug bounty hunters, pentesters and ethical hackers meet in person. One venue, one day, plus pizza and war stories when the laptops close.
Event pageBochum, Germany
Hybrid edition of the German HackerOne Club meetup with an in-person day in Bochum, hacking the Grab program alongside the club community.
Event pageRemote only
ExnessFound the most critical bug of the 3rd virtual HackerOne Germany Club meetup and was awarded "Maximum Impact and Maximum Bounty" by Exness.
Event pageLeuven, Belgium
Team live hacking of a large financial organization, with a scope of technically complex mobile and web applications. We achieved a strong placement and uncovered several high-impact vulnerabilities. Also awarded Intigriti's silver coin (250 valid reports) and gold coin (500 submissions).
Remote only
UndisclosedFifth edition of the German HackerOne Club hacking meetup, held remotely. A week-long hacking phase on a partner program, with a leaderboard and a closing remote meetup day for networking and show & tells.
Event pageStuttgart, Germany
The first Intigriti Bug Bounty Meetup in Stuttgart, which I founded and hosted as Hacker Ambassador for newcomers and experienced hackers alike.
Berlin, Germany
A HackerOne in-person hacking challenge in Berlin, bringing invited researchers together on-site for a focused round of collaborative bug hunting.
An upcoming Intigriti live hacking event later in the year. Looking forward to hacking on-site with the community again; further details to be announced.
// 03 recognition
Ambassador roles, awards and hall-of-fame acknowledgements.
Intigriti Ambassador
Organized and hosted the first Intigriti Bug Bounty Meetup in Stuttgart as Hacker Ambassador, bringing newcomers and experienced hackers together for talks, hands-on hacking and networking.
Intigriti
Selected as the official Intigriti Hacker Ambassador for Germany, based on continuous platform performance, high-impact findings and active participation in live hacking events. The role promotes responsible disclosure and represents the platform within the community.
HackerOne (German H1 Club)
Awarded Most Impactful Hacker 2025 for the highest individual bounty across all German H1 Club editions of the year. Recognizes the single most security-relevant and financially significant finding within the series, including programs such as Exness.
Intigriti
Featured in Intigriti's Ethical Hacker Insights series, talking about my journey into bug bounty, notable findings and the mindset behind finding critical vulnerabilities.
Exness / HackerOne German Club
Found the most critical bug of the 3rd virtual HackerOne Germany Club meetup (Jun 2025), awarded "Maximum Impact and Maximum Bounty" by Exness and the highest payout of the event. The event paid out over $94,000 in bounties, a record for the series.
Intigriti
My open-source tool SQLTimer, a fast Go scanner for time-based SQL injection, was featured in Intigriti's Bug Bytes newsletter (issue #224) as a useful addition to the bug bounty tooling community.
Intigriti
Reached the Intigriti Emerald Legend milestone for 500 valid submissions, reflecting the sustained volume and quality of accepted vulnerability reports over years of continuous research on the platform.
HackerOne
Active member of Team Germany in HackerOne's global Ambassador World Cup, a team-based live hacking tournament. Advanced to the Sweet Sixteen round against teams from around the world.
Deutsche Telekom
Discovered a broken access control flaw in a GraphQL interface of a Deutsche Telekom website; query manipulation allowed access to personal data (PII). Acknowledged in the Telekom Hall of Fame.
BSI
Continuous reporting to the Federal Office for Information Security since late 2022: 388 reported vulnerabilities, 290 of them already confirmed and fixed, actively strengthening cybersecurity.
Intigriti
Reached #1 on the Intigriti platform quarterly leaderboard as M4573R R007, alongside the Payload Master badge (top 10 platform). A milestone marking sustained top performance across programs.
VDPBw
Awarded the VDPBw coin for 39 confirmed vulnerabilities, including ATO, information disclosure, LFI, SQL injection, SSRF and cross-site scripting. Recognizes reporting a broad range of security threats.
Heise Group
Listed in the Heise Hall of Fame for reporting more than 10 security vulnerabilities, contributing to the security of Heise's digital platforms.
Intigriti
Video interview with Intigriti, filmed at the 1337UP0622 live hacking event in Leuven, on my path into ethical hacking and bug bounty.
Intigriti
Reached #1 on an Intigriti program quarterly leaderboard as R007 Ch13f, ranking ahead of all other researchers competing on that program during the quarter.
Apple
Acknowledged multiple times in Apple's web server security acknowledgements for continuous contributions to the security of Apple's systems across several reported issues.
Mercedes-Benz AG
Identified a critical vulnerability at Mercedes-Benz in 2022, leading to inclusion in the Mercedes-Benz Hall of Fame for responsible disclosure.
Hack The Box
Reached the Guru rank on Hack The Box (HTB-Guru), a long-standing personal milestone reflecting deep hands-on offensive security skills.
// 04 writeups
Selected disclosures. Some are referenced by NVD/NIST.
// 05 certifications