$ whoami
aka c1phy
White-Hat & Elite-Hacker // HTB-Guru // Head of IT-Security // Freelancer
// 01 intro
I'm Marc-Oliver Munz, a 35-year-old IT security professional based in the Stuttgart region, Germany, currently working as Head of IT Security. Over 19 years I grew through IT, from 1st and 2nd level support to administration and finally leading information security. Today my focus is building resilient security infrastructure and fostering a security culture in organizations.
My expertise covers both sides of security: defensive work around SIEM, XDR, SOC, NGFW and ISO 27001 compliance across the full IT infrastructure, and offensive, ethical hacking. I have led bug bounty programs and regularly take part in renowned live hacking events worldwide, including for Intel and Yahoo.
As an Intigriti Hacker Ambassador for Germany I bring the community together, share knowledge and help newcomers get into bug bounty and security research, and I promote responsible disclosure. My work has been recognized in halls of fame at Apple, the German armed forces (VDPBw), the Federal Office for Information Security (BSI), Heise, Deutsche Telekom and Mercedes-Benz.
// 02 live hacking events
Live hacking events I took part in, from my first to what's coming up next.
Mannheim, Germany
The first Kaeferjaeger live hacking event, where our German collective of around 40 hackers and security experts started its own self-organized LHE series.
Watch aftermovieBonn, Germany
Our second self-organized live hacking event with Kaeferjaeger, a German collective of around 40 hackers and security experts that I am part of.
Watch aftermovie
Leuven, Belgium
My first-ever Intigriti live hacking event, on-site in Leuven among experienced researchers from across the platform. A formative milestone that kicked off my live-hacking journey.
Watch aftermovieAntwerp, Belgium
Yahoo's first in-person live hacking event in over two years, run with Intigriti in Belgium, gathering 40 selected researchers from around the world. The scope centered on Yahoo's open-source search engine Vespa and core properties, capped off by the F1 Belgian Grand Prix.
Watch aftermovie
Copenhagen, Denmark
An invite-only live hacking event in Copenhagen hosted by Visma and Intigriti, bringing together some of the best hackers worldwide for an intensive review of Visma's cloud software products.
Varna, Bulgaria
One of Intigriti's exclusive live hacking events, with around 30 hand-picked researchers. A remote submission and scoping phase in the run-up led into several on-site days in Varna, Bulgaria, including community and hacking days among the strongest hunters.
Lisbon, Portugal
Knights of Elektron, an invite-only Intel Project Circuit Breaker live hacking event in Lisbon, run together with Intigriti. Selected among 100 elite hackers worldwide, qualified through a preliminary round to hack a brand-new Intel SaaS product.
Watch aftermovieBochum, Germany
The very first HackerOne Club Germany hacking meetup, held in Bochum and targeting the Tools for Humanity program. Open to all skill levels, with a remote component.
Event page
Utrecht, Netherlands
HackerHideout, an invite-only gathering where Europe's top bug bounty hunters, pentesters and ethical hackers meet in person. One venue, one day, plus pizza and war stories when the laptops close.
Event pageBochum, Germany
Hybrid edition of the German HackerOne Club meetup with an in-person day in Bochum, hacking the Grab program alongside the club community.
Event pageRemote only
ExnessThird edition of the German HackerOne Club meetup with Exness, an intense two-week remote phase. I focused entirely on a single target and landed the event's most critical bug, awarded "Maximum Impact and Maximum Bounty" by Exness.
Event pageLeuven, Belgium
A high-stakes Intigriti live hacking event in Leuven against a major financial organization, with a technically complex mobile and web scope. We landed a strong placement and high-impact bugs, and I received Intigriti's silver and gold coins from the CEO for reaching the 250 and 500 milestones.
Remote only
UndisclosedFifth edition of the German HackerOne Club hacking meetup, held remotely. A week-long hacking phase on a partner program, with a leaderboard and a closing remote meetup day for networking and show & tells.
Event pageStuttgart, Germany
The first Intigriti Bug Bounty Meetup in Stuttgart, which I founded and hosted as Hacker Ambassador. A community evening at Shackspace bringing together everyone from complete beginners to seasoned hackers, with guest talks, shared hacking and a lot of exchange.
Berlin, Germany
An invite-only HackerOne challenge bringing together top researchers from around the world, centered on several on-site days in Berlin paired with a remote hacking phase. An intense competition on a single high-profile program with an unusually interesting, specialized scope.
Bochum, Germany
A friendly Netherlands vs Germany match between the Dutch and German HackerOne Clubs, run as an Ambassador World Cup warm-up. A remote hacking week closing with a hybrid day in Bochum.
Event pageAn upcoming Intigriti live hacking event later this year, one of the exclusive on-site editions I look forward to most. Further details to be announced.
// 03 recognition
Ambassador roles, awards and hall-of-fame acknowledgements.
Intigriti Ambassador
Organized and hosted the first Intigriti Bug Bounty Meetup in Stuttgart as Hacker Ambassador, bringing newcomers and experienced hackers together for talks, hands-on hacking and networking.
Intigriti
Selected as the official Intigriti Hacker Ambassador for Germany, based on continuous platform performance, high-impact findings and active participation in live hacking events. The role promotes responsible disclosure and represents the platform within the community.
HackerOne (German H1 Club)
Awarded Most Impactful Hacker 2025 for the highest individual bounty across all German H1 Club editions of the year. Recognizes the single most security-relevant and financially significant finding within the series, including programs such as Exness.
Intigriti
Featured in Intigriti's Ethical Hacker Insights series, talking about my journey into bug bounty, notable findings and the mindset behind finding critical vulnerabilities.
Exness / HackerOne German Club
Found the most critical bug of the 3rd virtual HackerOne Germany Club meetup (Jun 2025), awarded "Maximum Impact and Maximum Bounty" by Exness and the highest payout of the event. The event paid out over $94,000 in bounties, a record for the series.
Intigriti
My open-source tool SQLTimer, a fast Go scanner for time-based SQL injection, was featured in Intigriti's Bug Bytes newsletter (issue #224) as a useful addition to the bug bounty tooling community.
Intigriti
Reached the Intigriti Emerald Legend milestone for 500 valid submissions, reflecting the sustained volume and quality of accepted vulnerability reports over years of continuous research on the platform.
HackerOne
Active member of Team Germany in HackerOne's global Ambassador World Cup, a team-based live hacking tournament. Advanced to the Sweet Sixteen round against teams from around the world.
Deutsche Telekom
Discovered a broken access control flaw in a GraphQL interface of a Deutsche Telekom website; query manipulation allowed access to personal data (PII). Acknowledged in the Telekom Hall of Fame.
BSI
Continuous reporting to the Federal Office for Information Security since late 2022: 388 reported vulnerabilities, 290 of them already confirmed and fixed, actively strengthening cybersecurity.
Intigriti
Reached #1 on the Intigriti platform quarterly leaderboard as M4573R R007, alongside the Payload Master badge (top 10 platform). A milestone marking sustained top performance across programs.
VDPBw
Awarded the VDPBw coin for 39 confirmed vulnerabilities, including ATO, information disclosure, LFI, SQL injection, SSRF and cross-site scripting. Recognizes reporting a broad range of security threats.
Heise Group
Listed in the Heise Hall of Fame for reporting more than 10 security vulnerabilities, contributing to the security of Heise's digital platforms.
Intigriti
Video interview with Intigriti, filmed at the 1337UP0622 live hacking event in Leuven, on my path into ethical hacking and bug bounty.
Intigriti
Reached #1 on an Intigriti program quarterly leaderboard as R007 Ch13f, ranking ahead of all other researchers competing on that program during the quarter.
Apple
Acknowledged multiple times in Apple's web server security acknowledgements for continuous contributions to the security of Apple's systems across several reported issues.
Mercedes-Benz AG
Identified a critical vulnerability at Mercedes-Benz in 2022, leading to inclusion in the Mercedes-Benz Hall of Fame for responsible disclosure.
Hack The Box
Reached the Guru rank on Hack The Box (HTB-Guru), a long-standing personal milestone reflecting deep hands-on offensive security skills.
// 04 writeups
Selected disclosures. Some are referenced by NVD/NIST.
// 05 certifications