IKEA Responsible Disclosure Policy

IKEA recognizes the need to approach the cybersecurity community to protect customer data and work together to create more secure solutions and applications, and this Responsible Disclosure Program adds an extra layer to our IT security testing, where individuals, developers and experts (a.k.a. ”Finders”) can find and report security related bugs in IKEA software - before someone else does.

Finders are welcome to voluntarily report all vulnerabilities they can find connected to the IKEA solutions. The submission is subject to the terms and conditions set forth on this page (“Policy Terms”), and by submitting a vulnerability report to IKEA the Finder acknowledges that it has read and agreed to these terms.

It's time for bugs to bug off :)

Terms and Conditions


To comply with the terms in this Responsible Disclosure Policy:

Response Times


IKEA will make a best effort to meet the following response targets for hackers participating in our program:

We’ll try to keep you informed about our progress throughout the process.

For targets which are outside of our core regions, time to resolution may take longer. We will aim to communicate this ahead of time.

Vulnerabilities accepted


Accepted, in-scope vulnerabilities include, but are not limited to:

Out of scope vulnerabilities


Certain vulnerabilities are considered out-of-scope for the Responsible Disclosure Program. Those out-of-scope vulnerabilities include, but are not limited to:

In scope


Domain *.ikea.com Critical Bounty Ineligible
Other IKEA Family Critical Bounty Ineligible
Other IKEA Mobile Applications High Bounty Ineligible

Legal


By submitting a report to IKEA, you acknowledge that you have read and agreed to these terms. You also warrant and represent to IKEA that you are the sole creator of the submission and you hereby grant IKEA the permission to use, reproduce, copy, modify and otherwise dispose of your submission in a manner as IKEA sees fit.

You acknowledge and agree that you shall not use you relationship with IKEA, the Ingka group or the Inter IKEA group for any marketing or financing purpose or as reference in any personal or professional presentation, documentation or other material, or in any way utilize (neither on the Internet nor in any other way communicate to the public) any trade name, business name, logotype or trade mark of IKEA, the Ingka Group or the Inter IKEA group.

Thank you for helping keep IKEA and our users safe!

Please submit your findings here: Responsible Disclosure Platform