Responsible disclosure

Hemnet believes in responsible disclosure and in open communication with the security community. We take our visitors and customers security seriously and will respond swiftly to fix verifiable security issues as part of our responsible disclosure program.

If you are the first to report a verifiable security issue under our program, you will be eligible for a monetary reward.

Who can participate in the program?

Anyone who doesn't work for Hemnet or partners of Hemnet can participate in the program.

We encourage anyone to report security issues to [email protected]

Our public PGP key can be found on a keyserver, such as The fingerprint for the public key is 015B F27B 03B4 29A9 BA52 FA74 FFB7 9C20 163F 15CD.

The public key can be verified using the signed security.txt.

Which domains are in scope?

The domain and any subdomain except for these:


Other guidelines

Please don't knowingly perform research that could impact other users or the availability of our service. When submitting a report, please keep it short and succinct. If we fail to understand the issue you have reported, we will ask you for clarification.

Hemnet reserves the rights to discontinue the reward program without previous notice at any time.