Responsible Disclosure Policy

Safe and secure together

At IKEA, we value the trust and confidence our customers place in us. That's why the security of our website is so important. 

  • If you've discovered a vulnerability in one of our services we'd appreciate you letting us know about it by submitting your findings* via a Responsible Disclosure report available on our Bugs website.  

We'll take a look at your submission and, if it's valid and hasn't yet been reported, we may pay a bounty** for you efforts.  

Please visit our Bugs website for further information and terms of our Responsible Disclosure Policy. Together, we can keep IKEA.com secure. 

*IKEA won't take legal action against those who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy. 

**Responsible Disclosure reports may result in monetary compensation depending on both scope and potential business impact of the finding. Please note that it is only for the solutions in scope that IKEA will pay a bounty for.

Testing terms

In order to adhere to the terms in this Responsible Disclosure Policy, you're prohibited from:
• accessing, downloading or modifying (or attempting to access, download or modify) data from an account that does not belong to you;
• executing or attempting to execute any “Denial of Service” attack;
• posting, transmitting, uploading, linking to, sending or storing any malicious software;
• testing that would result in sending unsolicited or unauthorized junk mail, spam or other forms of unsolicited messages;
• performing testing that would corrupt the operation of any IKEA properties; or
• testing third-party applications, websites or services that integrate with or link to IKEA properties.
*IKEA won't take legal action against those who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy.
**Monetary compensation will only be awarded through our bug bounty program. Requests for compensation (monetary or other) in connection with identified or alleged vulnerability will be considered noncompliant with this Responsible Disclosure Policy.



Back to top
cross