top of page
Search

Five Minnesota Companies. Five Security Postures. The Snowmobile Company Wins.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 3 minutes ago
  • 4 min read

We scanned five Minnesota-headquartered companies from the public internet. No tools beyond dig, curl, and openssl. No authentication. No exploitation. Just the things any attacker sees before they start.


The results are not what you would expect.



The Scorecard


We checked seven controls that every company should have deployed in 2026: HSTS (force HTTPS), X-Frame-Options (prevent clickjacking), X-Content-Type-Options (prevent MIME sniffing), Content-Security-Policy (control script execution), Referrer-Policy (control data leakage), DMARC at reject (prevent email spoofing), and SPF at hardfail (enforce sender authentication).


We also checked for DNSSEC, security.txt, a bug bounty program, and the basic architecture — WAF, CDN, cookie security.



Target — 7 out of 10


The 2013 breach cost Target $202 million and the jobs of their CEO and CIO. They learned.


Five of seven security headers present. DMARC at reject. HackerOne bug bounty program. Fastly CDN with proper cookie security — HttpOnly, Secure, SameSite on authentication tokens. HSTS enabled.


Missing DNSSEC. Missing security.txt. SPF at softfail instead of hardfail.


Target is the standard the others should be meeting.



General Mills — 5 out of 10


HSTS with preload — the only company on this list that submitted to the browser preload list. That is the gold standard for transport security. HackerOne bug bounty program. DMARC at reject. Using Dmarcian for DMARC analytics instead of bundling with their email vendor — a deliberate, informed choice.


But only two security headers total. No CSP, no X-Content-Type, no Referrer-Policy. Running on Azure with no WAF or CDN — direct to the application server. Their e-commerce runs through Shopify, which is smart because Shopify handles PCI compliance.


The Cheerios company has better email security tooling than the electronics retailer. That is not a sentence I expected to write.



Best Buy — 2 out of 10


DMARC at reject. Proofpoint email gateway. That is the entire visible security posture.


Best Buy hides behind Akamai so aggressively that automated tools cannot retrieve HTTP response headers at all. Their WAF blocks curl, blocks wget, blocks anything that is not a real browser with a real fingerprint. From a scanning perspective, Best Buy has zero security headers because nobody can see them.


This is the "if you can't scan us, you can't find vulnerabilities" school of security. It works until it does not. If Akamai has a bypass — and Akamai bypasses get published on a regular basis — the application behind it has no visible defense-in-depth.


No security.txt. No HackerOne. No DNSSEC. No way to report a vulnerability if you find one.


A $42 billion retailer with no published method for security researchers to contact them. That is a choice.



Polaris — 6 out of 10


The surprise winner on email security. Polaris is the only company on this list with SPF at hardfail (-all). Every other company uses softfail (~all), which means spoofed email gets flagged but delivered. Polaris says no — reject it.


DMARC at reject on both the primary domain and all subdomains (sp=reject). Using Red Sift OnDMARC for smart SPF flattening. Cloudflare plus AWS Global Accelerator for infrastructure. Two security headers.


The company that makes snowmobiles and off-road vehicles has a more sophisticated email security stack than Best Buy. They chose the specialist tools — OnDMARC instead of Proofpoint's bundled DMARC, Cloudflare instead of Akamai. Smaller company, better choices.


Missing HSTS. Missing most security headers. No bug bounty. But the email posture is the tightest in the group.



Toro — 1 out of 10


This is bad.


Self-hosted on their own IP block. No WAF. No CDN. F5 BigIP load balancer with the server header exposed — advertising the infrastructure to anyone who asks. Zero security headers. No HSTS. No CSP. No X-Frame-Options. Nothing.


DMARC at quarantine instead of reject. Quarantine means spoofed email lands in the spam folder instead of being rejected. And their subdomain policy is sp=none — meaning anyone can spoof [email protected] with zero enforcement.


SPF at softfail. No DNSSEC. No security.txt. No bug bounty.


Toro is running 2013 infrastructure in 2026. The Bloomington-headquartered company that makes lawnmowers has a weaker security posture than most personal blogs. One BigIP vulnerability, one exposed management interface, one misconfigured virtual server, and Toro is front page news.



What Nobody Has


Zero out of five companies have DNSSEC enabled. DNSSEC prevents DNS spoofing — an attacker redirecting your customers to a fake website by poisoning DNS responses. The standard has been available for over a decade. Five Minnesota companies headquartered within 30 miles of each other, collectively worth over $100 billion, and not one of them has enabled it.


Zero out of five have security.txt. The standard (RFC 9116) has been finalized since 2022. It is a text file that tells security researchers how to report vulnerabilities. It takes five minutes to create.


All five use SPF softfail except Polaris. Softfail means "this email is probably spoofed but deliver it anyway." Four of five Minnesota companies are telling email servers to deliver spoofed email. Their DMARC policies catch it downstream, but the SPF record alone — the first line of defense — says yes.



The Rankings


  1. Target — learned from catastrophe, shows the work

  2. Polaris — best email security, modern stack, quiet competence

  3. General Mills — HSTS preload is elite, everything else is average

  4. Best Buy — hiding behind Akamai is not a security posture

  5. Toro — genuinely concerning


Methodology


All data collected from public DNS records, HTTP response headers, SSL certificates, and WHOIS lookups. No authentication used. No exploitation attempted. No vulnerabilities tested. This is what any attacker, researcher, or customer can see from the outside.


We run these assessments using the same methodology that powers our AIPM platform at aipmsec.com, which has audited 1,193 domains across the cybersecurity industry. The Minnesota scorecard is an extension of that work — applied locally, where we live.


Fargo was released in 1996. So was the Minneapolis web security architecture, apparently.


aipmsec.com


analytics.dugganusa.com/stix/pricing




How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.


bottom of page