<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2592941450723103&amp;ev=PageView&amp;noscript=1">
Try it now
Contact
The BugBounty@AxonIvy Program

Help Us Improve Axon Ivy!

Have you discovered critical security vulnerabilities in our Tools (Designer, Engine, Portal) or our open-source code, which can be found in the Developer Community , on Axon Ivy Github or the Axon Ivy Marketplace? Then report it to us!

We will reward you for your efforts!

Program Rules

The BugBounty@AxonIvy Program is open to everyone, with the following exceptions:

  • Current and former employees of Axon Ivy or the RICOH Group.
  • Relatives or legal representatives of these employees.
  • Minors without written consent from their legal guardians.

Responsible Disclosure is a prerequisite for participation.

Key Conditions:

check-rounded-white

Your Own Account: Vulnerabilities must be discovered using your own legitimate credentials. Accessing third-party accounts without permission is prohibited and will not be rewarded.

check-rounded-white

First Report Only: The report must be the first submission for the vulnerability. Duplicate reports will not be rewarded.

check-rounded-white

Current Components Only: Vulnerabilities in outdated third-party components are excluded.

check-rounded-white

Publication Restriction: The vulnerability must not be publicly disclosed until Axon Ivy has resolved it internally and communicated the fix.

check-rounded-white

Manual Discovery: Automated tools (e.g., for phishing, DDoS, or brute-force attacks) must not be used to find vulnerabilities.

check-rounded-white

Valid IBAN: You must have a valid IBAN to participate and receive the bonus.

axonivy-cards-bugbounty-irrelevant-cases

Excluded Cases

Our BugBounty@AxonIvy Program focuses on critical security vulnerabilities in our products and services. Therefore, the following reports are not eligible:

  • Phishing emails or other messages misusing Axon Ivy email addresses.
  • Vulnerabilities without proof of actual exploitability.
  • Issues affecting only outdated browsers or insecure browser configurations.
  • Scanner reports without specific links to a vulnerability.
  • Violations of best practices (e.g., headers, SSL/TLS, DNS).
  • General availability or accessibility of our services.
axonivy-en-cards-bugbounty-cvss-score

How You Will Be Rewarded

If you follow our rules and submit a previously unknown vulnerability, you will receive a reward!

The reward amount depends on the severity of the vulnerability, measured by the industry-standard CVSS Score (see table). Axon Ivy makes the final determination of the payout amount.

Important: Payments will only be processed after you submit an invoice that meets the minimum requirements and you provide a valid IBAN.

axonivy-cards-bugbounty-email

How to Report Vulnerabilities

Please send an email to security@axonivy.com with the following information:

  1. A clear example (e.g., specific requests or proof-of-concept code).
  2. A detailed description of the vulnerability.
  3. Information about the browser you used and any special configurations (e.g., plugins).
axonivy-cards-bugbounty-better-and-more-secure

What Happens to Your Report?

Your vulnerability report will be reviewed by our security experts, assessed for severity, and classified based on its potential risk. The NVD-CVSS v4 Calculator serves as a guideline, but the final classification is determined by Axon Ivy.

Our goal: Quickly resolve the vulnerability and continuously improve the security of our products.

Thank you for helping us make Axon Ivy even more secure!

What are you waiting for?
Join the BugBounty@AxonIvy program today, earn exciting rewards, and play a key role in making our products safer than ever before!