IKEA Responsible Disclosure Program Rules
Internet facing solutions are always at risk of attack. Vulnerabilities are found and exploited.
A part from SDLC, IKEA uses various vulnerability scanning and penetration testing methods to find and fix security vulnerabilities in our solutions.
IKEA recognizes the need to approach the cybersecurity community in order to protect customer data and work together to have more secure solutions and applications, and this Responsible Disclosure Program adds an extra layer to our IT security testing, where individuals, developers and experts (a.k.a. researchers) can find and report security related bugs in the software - before someone else does.
It's time for bugs to bug off :)
Terms and Conditions
In order to adhere to the terms in this Responsible Disclosure Policy, you're prohibited from:
- executing or attempting to execute any “Denial of Service” attack;
- posting, transmitting, uploading, linking to, sending or storing any malicious software;
- testing that would result in sending unsolicited or unauthorized junk mail, spam or other forms of unsolicited messages;
- performing testing that would corrupt the operation of any IKEA properties;
- testing third-party applications, websites or services that integrate with or link to IKEA properties; or
- public disclosure before 30-day after the vulnerability is closed by IKEA.
Responsible Disclosure for IKEA.com
IKEA would like to thank everyone for spending their time on reporting vulnerabilities to us. Since Responsible Disclosure is a new concept to IKEA, we are currently working hard in order to establish clear guidelines and become more mature in our ways of working. We thank you for your understanding and patience during this time.
You are welcome to report all vulnerabilities you find connected to the IKEA IT solutions. In general, IKEA does not pay bounties for vulnerabilities reported within the Responsible Disclosure Program. However, a committee will evaluate in a monthly basis each submission of severity high and critical and might pay a reward depending on the business impact of the finding.
To make clear what IKEA considers most important, the following solutions are what we would like you to focus on:
Solutions in scope:
- IKEA Family
- IKEA mobile apps
Please note that the scope that is eligible for bounties may change at any given time.
Out of scope for all solutions:
- Broken Authentication and Session Management
- Cross Site Scripting (XSS)
- Insecure Direct Object Reference
- Sensitive Data Exposure
- Security Misconfiguration
- Missing Function Level Access Control
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards
- Social Engineering
- Account enumeration using brute-force attacks
- Password complexity requirements
- Missing http security headers which do not lead to a vulnerability
- Clickjacking on static websites
- Reports from automated tools or scans
- Vulnerabilities affecting users of outdated browsers
- Presence of autocomplete attribute on web forms
- Missing cookie flags on non-sensitive cookies
- Reports of SSL best practices or insecure ciphers
- Incomplete or missing SPF/DMARC/DKIM records
- Self-exploitation attacks
- Test versions of applications
Please submit your findings here: Responsible Disclosure Platform
Responsible Disclosure for IKEA Trådfri
In future, IKEA will launch a new program separately for reporting vulnerabilities connected to the Trådfri range. As soon as this new program is launched, the link and additional information will be published here.