Responsible disclosure

Hemnet believes in responsible disclosure and in open communication with the security community. We take our visitors and customers security seriously and will respond swiftly to fix verifiable security issues as part of our responsible disclosure program.

If you are the first to report a verifiable security issue under our program, you will be eligible for a monetary reward.

Who can participate in the program?

Anyone who doesn't work for Hemnet or partners of Hemnet can participate in the program.

We encourage anyone to report security issues to [email protected]

Scope of the program

The program scope includes the domain and all subdomains not listed as excluded below.

Out of scope

The following subdomains are excluded (out of scope) from this program:


The following issues are excluded (out of scope) from this program:

  • Findings from automated tools without providing a Proof of Concept
  • Vulnerabilities requiring MITM or physical access to a user's browser, device, or email account
  • Missing or weak security-related HTTP headers
  • Findings regarding user authentication best practices
  • Absence of or ability to bypass rate limiters on forms

Other guidelines

Please don't knowingly perform research that could impact other users or the availability of our servicText. When submitting a report, please keep it short and succinct. If we fail to understand the issue you have reported, we will ask you for clarification.

Hemnet reserves the rights to discontinue the reward program without previous notice at any time.