Responsible Disclosure Policy

We greatly appreciate investigative work into security vulnerabilities which is carried out by security researchers.


This disclosure policy applies only to vulnerabilities in our products and services under the following conditions:

  • Only vulnerabilities which are original and previously unreported and not already discovered by internal procedures are in scope.
  • Only domains/subdomains of

The following security issues are currently not in scope:

  • Volumetric vulnerabilities
  • TLS configuration weaknesses
  • Reports of non-exploitable vulnerabilities
  • Reports indicating that our services do not fully align with "best practice" e.g. missing security headers (CSP, x-frame-options, x-prevent-xss etc) or suboptimal email related configuration (SPF, DMARC etc)

Reporting security issues

If you have discovered an issue which you believe is an in-scope security vulnerability, please email

In accordance with industry convention, we ask that reporters provide a benign (i.e. non-destructive) proof of exploitation wherever possible. Please ensure that you do not send your proof of of exploit in the initial, plaintext email if the vulnerability is still exploitable. Instead we ask you to a brief description of the class of the vulnerability and the website or page in which the vulnerability exists.

If you are in any doubt, please email for advice.


You must not:

  • Access unnecessary amounts of data
  • Modify data in our systems/services which is not your own
  • Disrupt our services and/or systems
  • Disclose any vulnerabilities in Byggkollen systems/services to 3rd parties/the public

Unfortunately, it is not currently possible for us to offer a paid bug bounty programme.