Home
hm.com
Scanned: 10:19:40+0000 on 24 April 2024
{
"time": 1713953978.1071403,
"raw_target": "hm.com",
"has_contact": true,
"target": "hm.com",
"scan_type": "domain",
"message": "hm.com",
"domain_details": {
"a_records": [
"23.62.173.93"
],
"cname_records": [],
"txt_records": [
"atlassian-domain-verification=rXgVxegDgh2fm4nQaoSlS90nXn0F6BYiJPHz4hjMlzVu2I0+kSuZP0TnhjyUSZGp",
"G2bZpqGwWu85NIZJY33pbpdfJxTP/QLFV9n+x8RZjGP1SWkdErh7nAZnByGdIkqwVSKm/6isgl5TcIOxmIEnNA==",
"miro-verification=e4059dff7f2d29aec9f55eeae3914fa0ef366d54",
"google-site-verification=dR2q1jG9JAbxDT3yUBICWZU9dhQYhivHoyjIRhAVXRc",
"onetrust-domain-verification=1ff189c74ebf4c888372e3bb707a4308",
"google-site-verification=o1Jp_A7nyaqyVx2iVsGeOE5AxYVVGuHHujPKgvGsACQ",
"autodesk-domain-verification=kpt7uVD8XGDqacAnLRCb",
"adobe-idp-site-verification=6e80038b-44f6-419e-ae11-6ee6850aa026",
"apple-domain-verification=5QKtbSvIP6R1eKDM",
"facebook-domain-verification=qxfyzws0ptcxs8pbyl4k14jy4vsldi",
"google-site-verification=JDyauPZukgW5gK4zlhzTvoHS3XcpXcV0lgRhjKlLH3s",
"MS=ms57654797",
"onetrust-domain-verification=098f288143b740adb8f1b3222b1ced18",
"google-site-verification=3yuYIJ0JglKgU5MrUl1pEz_szYTXQn_65JLdsn4_mhA",
"google-site-verification=boXPvNIfucnoZ_KaB4LlCxTBJ9WQFY4okNXggfxCCEE",
"google-site-verification=UxSEyCRFug0oSQxH7k5JQRShc2r1ifQCMODJWxffdUs",
"google-site-verification=hK6uvC3tJlvSUbtLpj5S3uiGchRLkKtadAkWcu2vhxE",
"mX3c0tVJ24VTEcT8oMA5MhdhqRFZ7MvHdI3CwPfqDonreHEnz0A3t9kw2oOfgkaWiZJmXJJU82zTLG/g8Ra4cQ==",
"nn2s2xlxwhyv1m6l7shys76393qh9800",
"MS=ms15393788",
"v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all",
"aliyun-site-verification=e1c3e9df-a922-4e59-b137-bf160c374096",
"MS=ms87116262",
"google-site-verification=oYrxRuXwpqE5Q8z9N-JWNRptC8JsZKOul92phlJaMAQ",
"wip.hm.com. 3600 IN DS 30096 10 2 d3bbf2a81ea8e1c5f829c3e5a823b9c03034ae5367eeb16c303daaada0215015",
"google-site-verification=1PG9sMvbbZpYR18r3jy1VeCvvn45EU_iLkMlVcqNdQc",
"google-site-verification=2OPt_a_jPijzWyhRBCUIvw7H4w2FU-BCJvBqwte0esA"
],
"time": 0,
"dns_resolve_time": 1713953978.7281861
},
"dnssecuritytxt": {
"security_contact": null,
"security_policy": null,
"matching_domain": null
},
"port": 443,
"certificate": {
"issuer": "/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1",
"notAfter": "2024-12-19 23:59:59 UTC",
"notBefore": "2023-12-19 00:00:00 UTC",
"serialNumber": 18796248470276791476743100053616347249,
"subject": "/C=SE/L=Stockholm/O=H & M Hennes & Mauritz AB/CN=*.hm.com",
"authorityKeyIdentifier": [
"B7:6B:A2:EA:A8:AA:84:8C:79:EA:B4:DA:0F:98:B2:C5:95:76:B9:F4"
],
"subjectKeyIdentifier": [
"E0:E6:AD:B4:1B:13:D9:FC:61:B4:A0:68:52:88:66:63:C2:A9:3F:9D"
],
"subjectAltName": {
"DNS": [
"*.hm.com",
"hm.com"
]
},
"certificatePolicies": [
"Policy: 2.23.140.1.2.2",
"CPS: http://www.digicert.com/CPS"
],
"keyUsage": [
"Digital Signature, Key Encipherment"
],
"extendedKeyUsage": [
"TLS Web Server Authentication, TLS Web Client Authentication"
],
"crlDistributionPoints": [
"Full Name:",
{
"URI": "http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl"
},
{
"URI": "http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl"
}
],
"authorityInfoAccess": [
{
"OCSP - URI": "http://ocsp.digicert.com"
},
{
"CA Issuers - URI": "http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt"
}
],
"basicConstraints": [
"CA:FALSE"
],
"ct_precert_scts": [
"Signed Certificate Timestamp:",
"Version : v1 (0x0)",
"Log ID : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:",
"32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B",
"Timestamp : Dec 19 00:14:06.726 2023 GMT",
"Extensions: none",
"Signature : ecdsa-with-SHA256",
"30:45:02:20:44:B0:42:8F:50:72:35:8D:10:8E:F6:CC:",
"8A:0F:E9:EB:AB:10:BD:FB:BF:02:64:17:07:9E:3C:04:",
"03:23:27:D2:02:21:00:BE:20:15:81:47:59:44:6F:30:",
"60:C0:BF:15:33:BB:EA:E7:3C:6D:D5:EA:35:ED:E6:80:",
"FC:90:B3:ED:5B:74:EA",
"Log ID : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:",
"1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73",
"Timestamp : Dec 19 00:14:06.713 2023 GMT",
"30:44:02:20:40:93:F9:26:94:A4:B5:16:25:22:E7:9E:",
"10:77:0A:08:B1:E8:C0:AD:0E:CC:C3:07:1C:E9:C5:73:",
"63:D2:A3:AB:02:20:67:11:52:E5:24:70:C8:B5:82:24:",
"F5:42:58:5D:1C:16:FD:DE:A9:38:33:11:CD:E4:81:12:",
"6A:52:E5:1C:8F:A1",
"Log ID : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70:",
"91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB",
"Timestamp : Dec 19 00:14:06.679 2023 GMT",
"30:45:02:20:78:9B:EA:F6:2F:ED:1D:5E:5C:89:F7:18:",
"B1:21:AB:95:CD:C9:1A:E1:C5:75:15:82:5B:A2:46:12:",
"D4:B0:04:63:02:21:00:9C:9A:95:AF:0D:B2:99:B9:4E:",
"C7:74:AB:FE:28:EF:0C:7E:BA:76:E8:2C:7F:93:53:EE:",
"A8:5B:77:1D:91:6F:69"
]
},
"http_security_txt": {
"url": "https://www.hm.com/security.txt",
"status_code": 200,
"has_contact": true,
"valid_https": true,
"valid_content_type": true,
"full_text": "# Version 2.3\r\n#\r\n# --- For the Robots ---\r\nContact: mailto:bug-reports@hm.com\r\nExpires: 2023-03-31T13:00:00.000Z\r\nPreferred-Languages: en\r\nPolicy: Begins on Line 40 in this file\r\n# --- End for the Robots ---\r\n#\r\n#\r\n#\r\n# --- For the Humanoid ---\r\n#\r\n# HHHHHHHHH HHHHHHHHH &&&&&&&&&& MMMMMMMM MMMMMMMM GGGGGGGGGGGGG \r\n# H:::::::H H:::::::H &::::::::::& M:::::::M M:::::::M GGG::::::::::::G \r\n# H:::::::H H:::::::H &::::&&&:::::& M::::::::M M::::::::M GG:::::::::::::::G \r\n# HH::::::H H::::::HH &::::& &::::& M:::::::::M M:::::::::M G:::::GGGGGGGG::::G \r\n# H:::::H H:::::H &::::& &::::& M::::::::::M M::::::::::M G:::::G GGGGGGrrrrr rrrrrrrrr ooooooooooo uuuuuu uuuuuu ppppp ppppppppp \r\n# H:::::H H:::::H &::::&&&::::& M:::::::::::M M:::::::::::M G:::::G r::::rrr:::::::::r oo:::::::::::oo u::::u u::::u p::::ppp:::::::::p \r\n# H::::::HHHHH::::::H &::::::::::& M:::::::M::::M M::::M:::::::M G:::::G r:::::::::::::::::r o:::::::::::::::ou::::u u::::u p:::::::::::::::::p \r\n# H:::::::::::::::::H &:::::::&& M::::::M M::::M M::::M M::::::M G:::::G GGGGGGGGGGrr::::::rrrrr::::::ro:::::ooooo:::::ou::::u u::::u pp::::::ppppp::::::p\r\n# H:::::::::::::::::H &::::::::& &&&&M::::::M M::::M::::M M::::::M G:::::G G::::::::G r:::::r r:::::ro::::o o::::ou::::u u::::u p:::::p p:::::p\r\n# H::::::HHHHH::::::H &:::::&&::& &:::&M::::::M M:::::::M M::::::M G:::::G GGGGG::::G r:::::r rrrrrrro::::o o::::ou::::u u::::u p:::::p p:::::p\r\n# H:::::H H:::::H &:::::& &::&&:::&&M::::::M M:::::M M::::::M G:::::G G::::G r:::::r o::::o o::::ou::::u u::::u p:::::p p:::::p\r\n# H:::::H H:::::H &:::::& &:::::& M::::::M MMMMM M::::::M G:::::G G::::G r:::::r o::::o o::::ou:::::uuuu:::::u p:::::p p::::::p\r\n# HH::::::H H::::::HH&:::::& &::::& M::::::M M::::::M G:::::GGGGGGGG::::G r:::::r o:::::ooooo:::::ou:::::::::::::::uup:::::ppppp:::::::p\r\n# H:::::::H H:::::::H&::::::&&&&::::::&&M::::::M M::::::M GG:::::::::::::::G r:::::r o:::::::::::::::o u:::::::::::::::up::::::::::::::::p \r\n# H:::::::H H:::::::H &&::::::::&&&::::&M::::::M M::::::M GGG::::::GGG:::G r:::::r oo:::::::::::oo uu::::::::uu:::up::::::::::::::pp \r\n# HHHHHHHHH HHHHHHHHH &&&&&&&& &&&&&MMMMMMMM MMMMMMMM GGGGGG GGGG rrrrrrr ooooooooooo uuuuuuuu uuuup::::::pppppppp \r\n# p:::::p \r\n# p:::::p \r\n# p:::::::p \r\n# p:::::::p \r\n# p:::::::p \r\n# ppppppppp \r\n#\r\n# The H&M Group consists of company affiliate of H & M Hennes & Mauritz AB and its brands; H&M, COS, Weekday, Monki, H&M HOME, & Other Stories, Arket and Afound.\r\n#\r\n#\r\n# --------------------------------------------------------- Responsible Disclosure Agreement ---------------------------------------------------------\r\n#\r\n# H&M (HENNES & MAURITZ) Group Responsible Disclosure Agreement \r\n#\r\n# At the H&M Group, we consider the security of our systems a top priority. \r\n# But no matter how much effort we put into system security, there can still be vulnerabilities present. \r\n#\r\n# OUR BUG BOUNTY PROGRAM HAS BEEN CLOSED UNTIL WE SOLVE SOME ISSUES WE HAVE WITH PAYOUTS.\r\n# We are truly sorry for this as we would like to get going again. \r\n# But we feel that being able to pay you quickly for your services and good work is important so therefor we have to wait until we have a working solution.\r\n#\r\n# NO REPORTS RECEIVED DURING THIS TIME WILL BE ELIGIBLE FOR A PAYOUT.\r\n# But you can allways send them in if that is not a problem from you.\r\n# Thank you all for your help in keeping us and our customers safe.\r\n#\r\n# Payout rules\r\n#\r\n# We will determine the payout amount according to Impact/Severity and Likelihood/Probability matrix below.\r\n# You are responsible for any tax implications depending on your country of residency and citizenship.\r\n# There may be additional restrictions on your ability to enter depending upon your local law.\r\n# We are unable to issue payouts to individuals who are on sanctions lists, or who are in countries on sanctions lists (for example: Cuba, Iran, North Korea, Syria, Crimea).\r\n# \r\n# This is not a competition, but rather a discretionary rewards program. \r\n# You should understand that we can cancel the program at any time.\r\n# The decision as to whether to pay a reward or not has to be entirely at our discretion.\r\n#\r\n# We will pay cash to invoicing ethical hackers and gift cards to private researchers.\r\n# We do not pay extra for multiple domains with the same finding.\r\n# We do not pay for findings that is already known to H&M Group.\r\n#\r\n#\r\n# Impact / Severity\r\n#\r\n# | High | Medium | Low \r\n# -------|-----------------|---------------|---------\r\n# High | up to 1500 EUR | up to 800 EUR | 0 EUR \r\n# Likelihood -------|-----------------|---------------|---------\r\n# / Medium | up to 800 EUR | 0 EUR | 0 EUR \r\n# Probability -------|-----------------|---------------|---------\r\n# Low | 0 EUR | 0 EUR | 0 EUR \r\n# -------|-----------------|---------------|---------\r\n#\r\n#\r\n# Already known "features" that we don't pay for: \r\n# * Old sessions will not terminate after a password change, this is mitigated using different technique. \r\n# * We don't want information regarding DMARC and Email settings. \r\n# * Findings on rewear.hm.com and api.hmrewear.com is not paied for at this time. (Will be back after fixes have been applied)\r\n# * Findings on doyel.hm.com is not paied for at this time. (Will be back after fixes have been applied) \r\n#\r\n#\r\n# What to do to enter program: \r\n#\r\n# * E-mail your findings to bug-reports@hm.com \r\n# \r\n# * Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. \r\n# Usually, the IP-address or the URL of the affected system and a description of the vulnerability will be sufficient, \r\n# but complex vulnerabilities may require further explanation. \r\n#\r\n#\r\n# We are primarily interested in hearing about the following vulnerability categories: \r\n# * Sensitive Data Exposure - Cross Site Scripting (XSS) Stored, SQL Injection, etc. \r\n# * Authentication or Session Management related issues - IDOR (Insecure Direct Object References), Use of Hard-coded Credentials, etc. \r\n# * Application logic misconfiguration that could lead to data leakage or not properly validated requests, etc. \r\n# * Remote Code Execution - Vulnerabilities giving direct access to H&M Asset/servers\r\n# * Other types of clever vulnerabilities or unique issues that do not fall into explicit categories, but still pose a threat to our systems or customers personal information, financial information and brand reputation.\r\n#\r\n# What not to do: \r\n# * Do not test the physical security of H&M offices, stores, employees, equipment, etc. \r\n# * Do not test using social engineering techniques (phishing, vishing, etc.) \r\n# * Do not perform DoS or DDoS (Distributed Denial of Services) attacks. \r\n# * In any way attack our end users or engage in trade of stolen user credentials. \r\n# * When testing, please only do so on accounts belonging to you. Do not use leaked or compromised accounts belonging to other users. Vulnerabilities that were discovered using leaked or compromised accounts will be disqualified. \r\n# * Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary, or deleting or modifying other people's data to demonstrate the vulnerability. \r\n# * Do not reveal your findings to third party until it has been resolved, we will do our best to remediate your findings within 90 days. \r\n#\r\n#\r\n# What we promise: \r\n# * We will respond to your report as fast as possible (normally within 10 working days but it could be considerably longer during vacation periods) with our evaluation of the report. \r\n# * If you have followed the instructions above, we will not take any legal action against you on the reported vulnerabilities. \r\n# * We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission. \r\n# * We will keep you informed of the progress towards resolving the problem. \r\n#\r\n#\r\n#\r\n#\r\n# ----------------------------------------------------- End of Responsible Disclosure Agreement ------------------------------------------------------\r\n#\r\n#\r\n# ---------------------------------------------------------------- Privacy Notice --------------------------------------------------------------------\r\n# Privacy Notice \r\n#\r\n# Commitment to data protection and privacy\r\n# Protecting personal data and your privacy is of greatest concern for the H&M Group.\r\n# The H&M Group consists of company affiliate of H & M Hennes & Mauritz AB and its brands; H&M, COS, Weekday, Monki, H&M HOME, & Other Stories, Arket and Afound. \r\n#\r\n# Principles\r\n# The H&M Group manifests its commitment to privacy and data protection by embracing the following principles.\r\n#\r\n# * H&M uses personal data lawfully, fairly and in a transparent manner\r\n# * H&M collects no more personal data than necessary, and only for a legitimate purpose.\r\n# * H&M retains no more data than necessary or for a longer period than needed.\r\n# * H&M protects personal data with appropriate security measures.\r\n#\r\n# About this Privacy Notice\r\n# This Privacy Notice intends to establish a clear, concise and transparent communication on the collection, use, processing, storing etc. of personal data relating to external partners of the H&M Group. \r\n#\r\n# Who is responsible for processing of your personal data?\r\n# The Swedish company, H & M Hennes & Mauritz GBC AB is responsible for the processing of personal data within the scope of this Privacy Notice. \r\n#\r\n# Identity of H&M Group controller:\r\n# H & M Hennes & Mauritz GBC AB\r\n# Address: M\ufffdster Samuelsgatan 46\r\n# ZIP: 106 38 Stockholm\r\n# Sweden\r\n# Companies register: Bolagsverket/Swedish Companies Registration Office\r\n# Authorised representative: Helena Helmersson\r\n# VAT registration number: VAT NO. SE556070171501\r\n#\r\n# The named H&M Group controller(s) above are throughout this Privacy Notice individually or collectively referred to as "H&M", "we" or "us". \r\n#\r\n# Where do we store your data?\r\n# The personal data that we collected from you is generally stored within a country of the European Union or the European Economic Area ("EU/EEA").\r\n#\r\n# Why and how do we use your personal data? What is the legal basis?\r\n# We process your personal data to be able register your query or report and reply to you. The only personal data we obtain from you is processed when you contact us via the email bug-reports@hm.com. \r\n# The processing of your personal data for the mentioned purpose is based on our legitimate interest as a business.\r\n#\r\n# Who has access to your data?\r\n# We share your personal data within the H&M Group whenever necessary to fulfil the intended purpose. \r\n#\r\n# How long do we keep your personal data?\r\n# We will process your personal data no more than necessary for us to fulfil the purpose. All data registered at the mailbox is automatically removed annually.\r\n#\r\n# Which rights do you have?\r\n# \r\n# -Right to access:\r\n# You have the right to request information about the personal data we hold on you for the purposes stated above at any time. \r\n# In case you would like to exercise your rights related to processing of your personal data as a customer please consult our H&M Group Privacy Notice for Customers. \r\n#\r\n# -Right to rectification: \r\n# You have the right to request rectification of your personal data processed for the purposes stated above if the information is incorrect, including the right to have incomplete personal data completed.\r\n#\r\n# -Right to erasure:\r\n# You have the right to erase your personal data processed by H&M for the purposes stated above except for the following situation\r\n# * you have an ongoing matter with Core Security team\r\n# * if you are suspected or have misused our services within the last four years\r\n#\r\n# -Your right to object to processing based on legitimate interest: \r\n# You have the right to object to processing of your personal data that is based on H&M's legitimate interest. H&M will not continue to process the personal data unless we can demonstrate legitimate grounds for the process which overrides your interest and rights or due to legal claims.\r\n#\r\n# -Right to restriction:\r\n# You have the right to request that H&M restricts the process of your personal data for the purposes stated above under the following circumstances:\r\n# * if you object to a processing based H&M's legitimate interest, H&M shall restrict all processing of such data pending the verification of the legitimate interest.\r\n# * if you have claim that your personal data is incorrect, H&M must restrict all processing of such data pending the verification of the accuracy of the personal data.\r\n# * if the processing is unlawful you can oppose the erasure of personal data and instead request the restriction of the use of your personal data instead\r\n# * if H&M no longer needs the personal data but it is required by you to defend legal claims.\r\n#\r\n# How do you exercise your rights?\r\n# We take data protection very seriously and you can always reach us at bug-reports@hm.com.\r\n#\r\n# Data Protection Officer:\r\n# We have appointed a Data Protection Officer to ensure that we continuously process your personal data in an open, accurate and legal manner. You can contact our Data Protection Officer at dataprivacy@hm.com and write DPO as subject matter.\r\n#\r\n# Right to complain with a supervisory authority: \r\n# If you have complaints about the way H&M Group processes and protects your personal data and privacy you have the right, at any time, to make a complaint to the Swedish Data Protection Authority or any other competent a supervisory authority in the country of residence.\r\n#\r\n# Updates to our Privacy Notice:\r\n# We may need to update our Privacy Notice. We will communicate any material changes.\r\n#\r\n#\r\n# ----------------------------------------------------------------- End of Privacy Notice ------------------------------------------------------------\r\n#\r\n# --- End for the Humanoid ---",
"min_text": "Contact: mailto:bug-reports@hm.com\nExpires: 2023-03-31T13:00:00.000Z\nPreferred-Languages: en\nPolicy: Begins on Line 40 in this file\n",
"items": {
"Acknowledgements": [],
"Canonical": [],
"Contact": [
"mailto:bug-reports@hm.com"
],
"Encryption": [],
"Preferred-Languages": "en",
"Expires": "2023-03-31T13:00:00.000Z",
"Hiring": [],
"Policy": [
"Begins on Line 40 in this file"
]
},
"headers": {
"accept-ranges": "bytes",
"content-type": "text/plain",
"etag": "\"fd0e9cbe12442b7b2615955d544b7093:1704704328.601528\"",
"last-modified": "Mon, 08 Jan 2024 08:58:48 GMT",
"server": "AkamaiNetStorage",
"vary": "Accept-Encoding",
"content-encoding": "gzip",
"date": "Wed, 24 Apr 2024 10:19:40 GMT",
"content-length": "4999",
"server-timing": "cdn-cache; desc=HIT, edge; dur=598, ak_p; desc=\"1713953979670_389060539_138788697_59786_9801_13_15_15\";dur=1",
"set-cookie": "ak_bmsc=1A07EA5008C349601C9518934A170120~000000000000000000000000000000~YAAQu5cwF8PfggaPAQAAkT+eDxfVZeMJGDy95DhW2fsjjpE4CUHKXJBfBe8DpQEuh11CZX6jPNBV08eF4xd/3vy5izXrvIJcQS0jECm4pBcw/I6zc2YqHvxh962Vw1w5jvSrlRTU1bm1IN3Zkm8X/DKtd145rkjBR+LumTuhPA6gXF8Iv92HaZc40Q4jgV6vs0zJ0iTvrj36Lo6HcHLr6KHke3aqiae9h99pxkhrVNS/P0WGntknQ2ZfejGFdTxtmNzjN9nXhTfyfsb36eh7T1NG5SjIAX6Q5e+/VBhixOFsDewA4pCkPqB7a5LnjFsUuE+2mnUWbkUnfcpuGD58r7FiC098aIJgciViahxLRGTEd3dazeFhAWvKUX6Hes8Soi3jmQ==; Domain=.hm.com; Path=/; Expires=Wed, 24 Apr 2024 12:19:39 GMT; Max-Age=7199"
},
"http_version": "HTTP/2",
"redirects": [
{
"type": "301",
"val": "https://hm.com/security.txt",
"https": true,
"http_version": "HTTP/2"
},
{
"type": "200",
"val": "https://www.hm.com/security.txt",
"https": true,
"http_version": "HTTP/2"
}
],
"type": "https_root"
},
"rank": 322
}
dnssecuritytxt (DNS)
You can find out more about dnssecuritytxt here.
No DNS records found
security.txt (HTTP)
You can find out more about security.txt here or by looking up RFC 9116.
Status: 200
Scheme: https
URL: https://www.hm.com/security.txt (HTTP/2)
Has a contact: Yes
Contacts:
Policy:
- Begins on Line 40 in this file
Minimal version:
Contact: mailto:bug-reports@hm.com Expires: 2023-03-31T13:00:00.000Z Preferred-Languages: en Policy: Begins on Line 40 in this file
Full version:
# Version 2.3
#
# --- For the Robots ---
Contact: mailto:bug-reports@hm.com
Expires: 2023-03-31T13:00:00.000Z
Preferred-Languages: en
Policy: Begins on Line 40 in this file
# --- End for the Robots ---
#
#
#
# --- For the Humanoid ---
#
# HHHHHHHHH HHHHHHHHH &&&&&&&&&& MMMMMMMM MMMMMMMM GGGGGGGGGGGGG
# H:::::::H H:::::::H &::::::::::& M:::::::M M:::::::M GGG::::::::::::G
# H:::::::H H:::::::H &::::&&&:::::& M::::::::M M::::::::M GG:::::::::::::::G
# HH::::::H H::::::HH &::::& &::::& M:::::::::M M:::::::::M G:::::GGGGGGGG::::G
# H:::::H H:::::H &::::& &::::& M::::::::::M M::::::::::M G:::::G GGGGGGrrrrr rrrrrrrrr ooooooooooo uuuuuu uuuuuu ppppp ppppppppp
# H:::::H H:::::H &::::&&&::::& M:::::::::::M M:::::::::::M G:::::G r::::rrr:::::::::r oo:::::::::::oo u::::u u::::u p::::ppp:::::::::p
# H::::::HHHHH::::::H &::::::::::& M:::::::M::::M M::::M:::::::M G:::::G r:::::::::::::::::r o:::::::::::::::ou::::u u::::u p:::::::::::::::::p
# H:::::::::::::::::H &:::::::&& M::::::M M::::M M::::M M::::::M G:::::G GGGGGGGGGGrr::::::rrrrr::::::ro:::::ooooo:::::ou::::u u::::u pp::::::ppppp::::::p
# H:::::::::::::::::H &::::::::& &&&&M::::::M M::::M::::M M::::::M G:::::G G::::::::G r:::::r r:::::ro::::o o::::ou::::u u::::u p:::::p p:::::p
# H::::::HHHHH::::::H &:::::&&::& &:::&M::::::M M:::::::M M::::::M G:::::G GGGGG::::G r:::::r rrrrrrro::::o o::::ou::::u u::::u p:::::p p:::::p
# H:::::H H:::::H &:::::& &::&&:::&&M::::::M M:::::M M::::::M G:::::G G::::G r:::::r o::::o o::::ou::::u u::::u p:::::p p:::::p
# H:::::H H:::::H &:::::& &:::::& M::::::M MMMMM M::::::M G:::::G G::::G r:::::r o::::o o::::ou:::::uuuu:::::u p:::::p p::::::p
# HH::::::H H::::::HH&:::::& &::::& M::::::M M::::::M G:::::GGGGGGGG::::G r:::::r o:::::ooooo:::::ou:::::::::::::::uup:::::ppppp:::::::p
# H:::::::H H:::::::H&::::::&&&&::::::&&M::::::M M::::::M GG:::::::::::::::G r:::::r o:::::::::::::::o u:::::::::::::::up::::::::::::::::p
# H:::::::H H:::::::H &&::::::::&&&::::&M::::::M M::::::M GGG::::::GGG:::G r:::::r oo:::::::::::oo uu::::::::uu:::up::::::::::::::pp
# HHHHHHHHH HHHHHHHHH &&&&&&&& &&&&&MMMMMMMM MMMMMMMM GGGGGG GGGG rrrrrrr ooooooooooo uuuuuuuu uuuup::::::pppppppp
# p:::::p
# p:::::p
# p:::::::p
# p:::::::p
# p:::::::p
# ppppppppp
#
# The H&M Group consists of company affiliate of H & M Hennes & Mauritz AB and its brands; H&M, COS, Weekday, Monki, H&M HOME, & Other Stories, Arket and Afound.
#
#
# --------------------------------------------------------- Responsible Disclosure Agreement ---------------------------------------------------------
#
# H&M (HENNES & MAURITZ) Group Responsible Disclosure Agreement
#
# At the H&M Group, we consider the security of our systems a top priority.
# But no matter how much effort we put into system security, there can still be vulnerabilities present.
#
# OUR BUG BOUNTY PROGRAM HAS BEEN CLOSED UNTIL WE SOLVE SOME ISSUES WE HAVE WITH PAYOUTS.
# We are truly sorry for this as we would like to get going again.
# But we feel that being able to pay you quickly for your services and good work is important so therefor we have to wait until we have a working solution.
#
# NO REPORTS RECEIVED DURING THIS TIME WILL BE ELIGIBLE FOR A PAYOUT.
# But you can allways send them in if that is not a problem from you.
# Thank you all for your help in keeping us and our customers safe.
#
# Payout rules
#
# We will determine the payout amount according to Impact/Severity and Likelihood/Probability matrix below.
# You are responsible for any tax implications depending on your country of residency and citizenship.
# There may be additional restrictions on your ability to enter depending upon your local law.
# We are unable to issue payouts to individuals who are on sanctions lists, or who are in countries on sanctions lists (for example: Cuba, Iran, North Korea, Syria, Crimea).
#
# This is not a competition, but rather a discretionary rewards program.
# You should understand that we can cancel the program at any time.
# The decision as to whether to pay a reward or not has to be entirely at our discretion.
#
# We will pay cash to invoicing ethical hackers and gift cards to private researchers.
# We do not pay extra for multiple domains with the same finding.
# We do not pay for findings that is already known to H&M Group.
#
#
# Impact / Severity
#
# | High | Medium | Low
# -------|-----------------|---------------|---------
# High | up to 1500 EUR | up to 800 EUR | 0 EUR
# Likelihood -------|-----------------|---------------|---------
# / Medium | up to 800 EUR | 0 EUR | 0 EUR
# Probability -------|-----------------|---------------|---------
# Low | 0 EUR | 0 EUR | 0 EUR
# -------|-----------------|---------------|---------
#
#
# Already known "features" that we don't pay for:
# * Old sessions will not terminate after a password change, this is mitigated using different technique.
# * We don't want information regarding DMARC and Email settings.
# * Findings on rewear.hm.com and api.hmrewear.com is not paied for at this time. (Will be back after fixes have been applied)
# * Findings on doyel.hm.com is not paied for at this time. (Will be back after fixes have been applied)
#
#
# What to do to enter program:
#
# * E-mail your findings to bug-reports@hm.com
#
# * Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible.
# Usually, the IP-address or the URL of the affected system and a description of the vulnerability will be sufficient,
# but complex vulnerabilities may require further explanation.
#
#
# We are primarily interested in hearing about the following vulnerability categories:
# * Sensitive Data Exposure - Cross Site Scripting (XSS) Stored, SQL Injection, etc.
# * Authentication or Session Management related issues - IDOR (Insecure Direct Object References), Use of Hard-coded Credentials, etc.
# * Application logic misconfiguration that could lead to data leakage or not properly validated requests, etc.
# * Remote Code Execution - Vulnerabilities giving direct access to H&M Asset/servers
# * Other types of clever vulnerabilities or unique issues that do not fall into explicit categories, but still pose a threat to our systems or customers personal information, financial information and brand reputation.
#
# What not to do:
# * Do not test the physical security of H&M offices, stores, employees, equipment, etc.
# * Do not test using social engineering techniques (phishing, vishing, etc.)
# * Do not perform DoS or DDoS (Distributed Denial of Services) attacks.
# * In any way attack our end users or engage in trade of stolen user credentials.
# * When testing, please only do so on accounts belonging to you. Do not use leaked or compromised accounts belonging to other users. Vulnerabilities that were discovered using leaked or compromised accounts will be disqualified.
# * Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary, or deleting or modifying other people's data to demonstrate the vulnerability.
# * Do not reveal your findings to third party until it has been resolved, we will do our best to remediate your findings within 90 days.
#
#
# What we promise:
# * We will respond to your report as fast as possible (normally within 10 working days but it could be considerably longer during vacation periods) with our evaluation of the report.
# * If you have followed the instructions above, we will not take any legal action against you on the reported vulnerabilities.
# * We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
# * We will keep you informed of the progress towards resolving the problem.
#
#
#
#
# ----------------------------------------------------- End of Responsible Disclosure Agreement ------------------------------------------------------
#
#
# ---------------------------------------------------------------- Privacy Notice --------------------------------------------------------------------
# Privacy Notice
#
# Commitment to data protection and privacy
# Protecting personal data and your privacy is of greatest concern for the H&M Group.
# The H&M Group consists of company affiliate of H & M Hennes & Mauritz AB and its brands; H&M, COS, Weekday, Monki, H&M HOME, & Other Stories, Arket and Afound.
#
# Principles
# The H&M Group manifests its commitment to privacy and data protection by embracing the following principles.
#
# * H&M uses personal data lawfully, fairly and in a transparent manner
# * H&M collects no more personal data than necessary, and only for a legitimate purpose.
# * H&M retains no more data than necessary or for a longer period than needed.
# * H&M protects personal data with appropriate security measures.
#
# About this Privacy Notice
# This Privacy Notice intends to establish a clear, concise and transparent communication on the collection, use, processing, storing etc. of personal data relating to external partners of the H&M Group.
#
# Who is responsible for processing of your personal data?
# The Swedish company, H & M Hennes & Mauritz GBC AB is responsible for the processing of personal data within the scope of this Privacy Notice.
#
# Identity of H&M Group controller:
# H & M Hennes & Mauritz GBC AB
# Address: M�ster Samuelsgatan 46
# ZIP: 106 38 Stockholm
# Sweden
# Companies register: Bolagsverket/Swedish Companies Registration Office
# Authorised representative: Helena Helmersson
# VAT registration number: VAT NO. SE556070171501
#
# The named H&M Group controller(s) above are throughout this Privacy Notice individually or collectively referred to as "H&M", "we" or "us".
#
# Where do we store your data?
# The personal data that we collected from you is generally stored within a country of the European Union or the European Economic Area ("EU/EEA").
#
# Why and how do we use your personal data? What is the legal basis?
# We process your personal data to be able register your query or report and reply to you. The only personal data we obtain from you is processed when you contact us via the email bug-reports@hm.com.
# The processing of your personal data for the mentioned purpose is based on our legitimate interest as a business.
#
# Who has access to your data?
# We share your personal data within the H&M Group whenever necessary to fulfil the intended purpose.
#
# How long do we keep your personal data?
# We will process your personal data no more than necessary for us to fulfil the purpose. All data registered at the mailbox is automatically removed annually.
#
# Which rights do you have?
#
# -Right to access:
# You have the right to request information about the personal data we hold on you for the purposes stated above at any time.
# In case you would like to exercise your rights related to processing of your personal data as a customer please consult our H&M Group Privacy Notice for Customers.
#
# -Right to rectification:
# You have the right to request rectification of your personal data processed for the purposes stated above if the information is incorrect, including the right to have incomplete personal data completed.
#
# -Right to erasure:
# You have the right to erase your personal data processed by H&M for the purposes stated above except for the following situation
# * you have an ongoing matter with Core Security team
# * if you are suspected or have misused our services within the last four years
#
# -Your right to object to processing based on legitimate interest:
# You have the right to object to processing of your personal data that is based on H&M's legitimate interest. H&M will not continue to process the personal data unless we can demonstrate legitimate grounds for the process which overrides your interest and rights or due to legal claims.
#
# -Right to restriction:
# You have the right to request that H&M restricts the process of your personal data for the purposes stated above under the following circumstances:
# * if you object to a processing based H&M's legitimate interest, H&M shall restrict all processing of such data pending the verification of the legitimate interest.
# * if you have claim that your personal data is incorrect, H&M must restrict all processing of such data pending the verification of the accuracy of the personal data.
# * if the processing is unlawful you can oppose the erasure of personal data and instead request the restriction of the use of your personal data instead
# * if H&M no longer needs the personal data but it is required by you to defend legal claims.
#
# How do you exercise your rights?
# We take data protection very seriously and you can always reach us at bug-reports@hm.com.
#
# Data Protection Officer:
# We have appointed a Data Protection Officer to ensure that we continuously process your personal data in an open, accurate and legal manner. You can contact our Data Protection Officer at dataprivacy@hm.com and write DPO as subject matter.
#
# Right to complain with a supervisory authority:
# If you have complaints about the way H&M Group processes and protects your personal data and privacy you have the right, at any time, to make a complaint to the Swedish Data Protection Authority or any other competent a supervisory authority in the country of residence.
#
# Updates to our Privacy Notice:
# We may need to update our Privacy Notice. We will communicate any material changes.
#
#
# ----------------------------------------------------------------- End of Privacy Notice ------------------------------------------------------------
#
# --- End for the Humanoid ---
Redirects:
- 301: https://hm.com/security.txt (HTTP/2)
- 200: https://www.hm.com/security.txt (HTTP/2)
Updated at: 10:19:40+0000 on 24 April 2024