IKEA Responsible Disclosure Policy
IKEA recognizes the need to approach the cybersecurity community to protect customer data and work together to create more secure solutions and applications, and this Responsible Disclosure Program adds an extra layer to our IT security testing, where individuals, developers and experts (a.k.a. ”Researchers”) can find and report security related bugs in IKEA software - before someone else does.
Researchers are welcome to voluntarily report all vulnerabilities they can find connected to the IKEA solutions. The submission is subject to the terms and conditions set forth on this page (“Policy Terms”), and by submitting a vulnerability report to IKEA the Finder acknowledges that it has read and agreed to these terms.
It's time for bugs to bug off :)
Terms and Conditions
To comply with the terms in this Responsible Disclosure Policy:
- Do not execute or attempt to execute any “Denial of Service” attack.
- Do not post, transmit, upload, link to, send or store any malicious software.
- Do not test what would result in sending unsolicited or unauthorized junk mail, spam or other forms of unsolicited messages.
- Do not run automated scans without checking with IKEA first.
- Do not test in a manner that would corrupt the operation of IKEA solutions.
- Do not test equipment or the physical security in IKEA stores.
- Do not use social engineering techniques.
- Do not test third-party applications, websites or services that integrate with or link to IKEA properties.
- Do not publicly disclose any vulnerability before 30-day after the vulnerability is resolved by IKEA and not without IKEA's prior written consent. And do not include any sensitive data in the disclosed vulnerability.
- Remove all data and sensitive information you got from the analysis once the report is submitted.
Response Times
IKEA will make a best effort to meet the following response targets for researchers participating in our program:
- Time to first response (from report submit) - 2 business days
- Time to triage (from report submit) - 2 business days
We’ll try to keep you informed about our progress throughout the process.
For targets which are outside of our core regions, time to resolution may take longer. We will aim to communicate this ahead of time.
Vulnerabilities accepted
Accepted, in-scope vulnerabilities include, but are not limited to:
- Injection vulnerabilities
- Broken Authentication and Session Management
- Cross Site Scripting (XSS)
- Remote Code Execution
- Insecure Direct Object Reference
- Sensitive Data Exposure
- Security Misconfiguration
- Missing Function Level Access Control
- Using Components with Known Vulnerabilities
- Directory/Path transversal
- Exposed credentials
Out of scope vulnerabilities
Certain vulnerabilities are considered out-of-scope for the Responsible Disclosure Program. Those out-of-scope vulnerabilities include, but are not limited to:
- Social Engineering attacks
- Account enumeration using brute-force attacks
- Weak password policies and password complexity requirements
- Missing http security headers which do not lead to a vulnerability
- Reports from automated tools or scans
- Presence of autocomplete attribute on web forms
- Missing cookie flags on non-sensitive cookies
- Reports of SSL/TLS issues, best practices or insecure ciphers
- Self-exploitation attacks
- Test versions of applications
- Mail configuration issues including SPF, DKIM, DMARC settings
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or bruteforce issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Vulnerabilities only affecting users of outdated or unpatched browsers
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Tabnabbing
- Open redirect - unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
- Credentials obtained by malware, data leaks or shared on the dark web
- Solutions affected by known CVEs published less than 30 days ago
In scope
Domain |
IKEA.com, *.IKEA.com, IKEA.* and any other IKEA branded domain/service |
Other |
IKEA Mobile Applications, IKEA HomeSmart Products |
Awarding process
An internal monthly committee will be accountable to analyze and decide about rewarding. Only CRITICAL and HIGH vulnerabilities that have been resolved might receive an award and it is a solely decission by IKEA.
Legal
By submitting a report to IKEA, you acknowledge that you have read and agreed to these terms. You also warrant and represent to IKEA that you are the sole creator of the submission and you hereby grant IKEA the permission to use, reproduce, copy, modify and otherwise dispose of your submission in a manner as IKEA sees fit.
You acknowledge and agree that you shall not use you relationship with IKEA, the Ingka group or the Inter IKEA group for any marketing or financing purpose or as reference in any personal or professional presentation, documentation or other material, or in any way utilize (neither on the Internet nor in any other way communicate to the public) any trade name, business name, logotype or trade mark of IKEA, the Ingka Group or the Inter IKEA group.
Thank you for helping keep IKEA and our users safe!
Please submit your findings here: Responsible Disclosure Platform