It is important for us that you feel safe when you shop on our websites. The safety of your data and our websites are always a priority for us. We monitor our network and improve and enhance security on an ongoing basis. Despite our effort, weaknesses can potentially be found.

Weakness can occur either during normal use of our websites, or by an explicit intent to search for and find vulnerabilities. If you in one way or another, find a weakness, we would like to hear from you, so we can improve based on your findings.

This policy is explicitly not an invitation to actively scan our infrastructure for weak spots. However, if you do find a vulnerability, we want you to know how we will handle that, what we expect from you, and what you can expect from us.

What we expect from you

If you have found a weakness on our website, please inform us through the form below. Please include as much information as possible:

• Please describe the weakness, you have identified
• Please describe the steps you have taken to see this weakness
• What objects have you used? For example: filters, text fields, etc.
• What is the URL?
• Can you include a screenshot of the result?
• What browser(s) and what version(s) did you spot the weakness in?
• What operating system (and version) have you used?
• Can you include the application, script and/or code used?
• If you would like us to follow up with you, please include your contact details. You can also choose to remain anonymous.

Don’t abuse the vulnerability by for example downloading, editing, or deleting data, and do not share the finding with anybody, until we have investigated and solved potential issues. We will decide if and how we are going to communicate about the vulnerability. If you wish, we can share our communication plan with you. Don’t use any attacks on physical security, of hacking or social engineering tools, for example vulnerability scanners.

What you should expect from us

After you have shared your findings with us, we will confirm the received message and start investigating with high priority. We expect that we will respond to you within 5 business days with our first evaluation of your and our findings, and with an expected resolution date.

Your report will be handled confidentially. No personal information will be shared with third parties without your written consent. The only exception is if we are required to so by authorities (such as the police) to share this information.

If you follow the rules in this policy, we will not take legal actions against you.

We do not reward findings with money.