IKEA Responsible Disclosure Policy
IKEA recognizes the need to approach the cybersecurity community to protect customer data and work together to create more secure solutions and applications, and this Responsible Disclosure Program adds an extra layer to our IT security testing, where individuals, developers and experts (a.k.a. ”Finders”) can find and report security related bugs in IKEA software - before someone else does.
Finders are welcome to voluntarily report all vulnerabilities they can find connected to the IKEA solutions. The submission is subject to the terms and conditions set forth on this page (“Policy Terms”), and by submitting a vulnerability report to IKEA the Finder acknowledges that it has read and agreed to these terms.
It's time for bugs to bug off :)
Terms and Conditions
To comply with the terms in this Responsible Disclosure Policy:
- Do not execute or attempt to execute any “Denial of Service” attack.
- Do not post, transmit, upload, link to, send or store any malicious software.
- Do not test what would result in sending unsolicited or unauthorized junk mail, spam or other forms of unsolicited messages.
- Do not run automated scans without checking with IKEA first.
- Do not test in a manner that would corrupt the operation of IKEA solutions.
- Do not test equipment or the physical security in IKEA stores.
- Do not use social engineering techniques.
- Do not test third-party applications, websites or services that integrate with or link to IKEA properties.
- Do not publicly disclose any vulnerability before 30-day after the vulnerability is resolved by IKEA and not without IKEA's prior written consent. And do not include any sensitive data in the disclosed vulnerability.
- Remove all data and sensitive information you got from the analysis once the report is submitted.
IKEA will make a best effort to meet the following response targets for hackers participating in our program:
- Time to first response (from report submit) - 2 business days
- Time to triage (from report submit) - 2 business days
We’ll try to keep you informed about our progress throughout the process.
For targets which are outside of our core regions, time to resolution may take longer. We will aim to communicate this ahead of time.
Accepted, in-scope vulnerabilities include, but are not limited to:
- Injection vulnerabilities
- Broken Authentication and Session Management
- Cross Site Scripting (XSS)
- Remote Code Execution
- Insecure Direct Object Reference
- Sensitive Data Exposure
- Security Misconfiguration
- Missing Function Level Access Control
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards
- Directory/Path transversal
- Exposed credentials
Out of scope vulnerabilities
Certain vulnerabilities are considered out-of-scope for the Responsible Disclosure Program. Those out-of-scope vulnerabilities include, but are not limited to:
- Social Engineering attacks
- Account enumeration using brute-force attacks
- Cross-Site Request Forgery
- Weak password policies and password complexity requirements
- Missing http security headers which do not lead to a vulnerability
- Clickjacking on static websites
- Reports from automated tools or scans
- Vulnerabilities affecting users of outdated browsers
- Presence of autocomplete attribute on web forms
- Missing cookie flags on non-sensitive cookies
- Reports of SSL issues, best practices or insecure ciphers
- Incomplete or missing SPF/DMARC/DKIM records
- Self-exploitation attacks
- Test versions of applications
- Mail configuration issues including SPF, DKIM, DMARC settings
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or bruteforce issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 phstable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Open redirect - unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
||IKEA Mobile Applications
By submitting a report to IKEA, you acknowledge that you have read and agreed to these terms. You also warrant and represent to IKEA that you are the sole creator of the submission and you hereby grant IKEA the permission to use, reproduce, copy, modify and otherwise dispose of your submission in a manner as IKEA sees fit.
You acknowledge and agree that you shall not use you relationship with IKEA, the Ingka group or the Inter IKEA group for any marketing or financing purpose or as reference in any personal or professional presentation, documentation or other material, or in any way utilize (neither on the Internet nor in any other way communicate to the public) any trade name, business name, logotype or trade mark of IKEA, the Ingka Group or the Inter IKEA group.
Please submit your findings here: Responsible Disclosure Platform
Thank you for helping keep IKEA and our users safe!