Have you discovered critical security vulnerabilities in our Tools (Designer, Engine, Portal) or our open-source code, which can be found in the Developer Community , on Axon Ivy Github or the Axon Ivy Marketplace? Then report it to us!
We will reward you for your efforts!
The BugBounty@AxonIvy Program is open to everyone, with the following exceptions:
Responsible Disclosure is a prerequisite for participation.
Key Conditions:
Your Own Account: Vulnerabilities must be discovered using your own legitimate credentials. Accessing third-party accounts without permission is prohibited and will not be rewarded.
First Report Only: The report must be the first submission for the vulnerability. Duplicate reports will not be rewarded.
Current Components Only: Vulnerabilities in outdated third-party components are excluded.
Publication Restriction: The vulnerability must not be publicly disclosed until Axon Ivy has resolved it internally and communicated the fix.
Manual Discovery: Automated tools (e.g., for phishing, DDoS, or brute-force attacks) must not be used to find vulnerabilities.
Valid IBAN: You must have a valid IBAN to participate and receive the bonus.
Our BugBounty@AxonIvy Program focuses on critical security vulnerabilities in our products and services. Therefore, the following reports are not eligible:
If you follow our rules and submit a previously unknown vulnerability, you will receive a reward!
The reward amount depends on the severity of the vulnerability, measured by the industry-standard CVSS Score (see table). Axon Ivy makes the final determination of the payout amount.
Important: Payments will only be processed after you submit an invoice that meets the minimum requirements and you provide a valid IBAN.
Please send an email to security@axonivy.com with the following information:
Your vulnerability report will be reviewed by our security experts, assessed for severity, and classified based on its potential risk. The NVD-CVSS v4 Calculator serves as a guideline, but the final classification is determined by Axon Ivy.
Our goal: Quickly resolve the vulnerability and continuously improve the security of our products.
Thank you for helping us make Axon Ivy even more secure!