Axis Vulnerability Management Policy

Overview

Axis, as a CVE Numbering Authority (CNA) under the MITRE domain, follows industry best practices in managing and responding to security vulnerabilities discovered in our products. There is no way to guarantee that products and services delivered by Axis are entirely free from vulnerabilities. This is not unique to Axis, but rather a general condition for all software and services. What Axis can guarantee is that we will make a concerted effort at every stage of development to identify and mitigate potential vulnerabilities thus reducing the risk associated with deploying Axis products and services in customer environments.

Axis acknowledges that certain standard network protocols and services may have inherent weaknesses that could be exploited. While Axis does not take responsibility for these protocols and services, we do provide recommendations on how to reduce risks related to your Axis products, software and services in the form of our AXIS OS Hardening Guide, AXIS Camera Station System Hardening Guide and Axis Network Switches Hardening Guide.

Scope

The vulnerability management policy described in this document applies to all Axis-branded products, software and services. Excluded from this policy are 2N products, software and services, which are managed by the 2N security team.

Commitment

Axis appreciates and encourages the efforts made by researchers in identifying and reporting vulnerabilities in Axis products, software and services. By following the responsible disclosure process, the Axis Product Security Team, to its best abilities, will respect the researcher’s interest through mutual collaboration and transparency throughout the disclosure process.

Axis expects researchers not to disclose vulnerabilities before a 90-day period or mutually agreed date and to perform vulnerability research within legal boundaries that would not cause harm, expose privacy, or compromise safety of Axis and its partners and customers.

Vulnerability management

Axis uses the same classification for third party open-source components and Axis-specific vulnerabilities. Vulnerabilities are scored using the commonly known CVSS rating system (Common Vulnerability Scoring System). With regards to open-source vulnerabilities, Axis may assess the vulnerability accordingly to its relevance in the context of how Axis recommends deploying its products, software and services. A security advisory is typically provided only for Axis-specific vulnerabilities. The following section describes the prioritization for when a vulnerability has been assessed and is eligible for correction:

CVSSv3.1 high/critical (7.0 – 10.0)
Axis aims to patch the vulnerability before or within 3 weeks after the external disclosure. For open-source components, the lead-time is usually longer as Axis depends on external parties for information, patches, and/or verification.

CVSSv3.1 medium (4.0 – 6.9)
Axis aims to patch the vulnerability usually within 1 to 3 months.

CVSSv3.1 low (0.1 – 3.9)
Axis aims to patch the vulnerability as part of an upcoming scheduled release.

Supported software/services
The support stage of an Axis software/service is defined through a common software lifecycle process. Axis software/services are usually supported three years after the discontinuation announcement.

Example of a discontinued software product that is receiving support until 2024-04-30.

While in this phase, Axis software/services are considered supported until they have reached their Discontinued software/services phase.

Example of a discontinued software product as can be found on axis.com.

Supported products
The support of an Axis product is defined through the common hardware product lifecycle process. Axis products are considered supported until they have reached the Discontinued product. Online support only phase

Information about the actual status of Axis products can be obtained from the corresponding Axis product page on www.axis.com. More information about the general support policy after a product discontinuation can be found here.

Example of a discontinued hardware product as can be found on axis.com.

AXIS OS is the operating system that powers most Axis network products. For many products, Axis provides extended software support through AXIS OS long-term support (LTS) tracks. Utilizing the LTS track can extend the overall product lifecycle support of an Axis product. Read more about AXIS OS here.

AXIS OS support overview

The active track releases a new version every second months where only the latest version is supported. The LTS tracks are created every two years and are supported and maintained for about 5 years.

Currently supported AXIS OS LTS and active tracks (as of October 2023).

Reporting vulnerabilities

Axis works continuously to identify and limit the risk associated with vulnerabilities in our offering. However, if you identify a security vulnerability associated with an Axis product, software or service, we urge you to report the problem immediately. Timely reporting of security vulnerabilities is critical for reducing the likelihood that they can be exploited in practice. Security vulnerabilities related to open-source software components should be addressed directly to the responsible entity.

End users, partners, vendors, industry groups and independent researchers who have identified a potential vulnerability are encouraged to submit their findings to product-security@axis.com. The submitted report should include:

The following response times from Axis can be expected:

  • The time to first response within 2 business days after receiving the initial submission.

  • The time to triage (from the time to first response) within 10 business days.

Axis facilitates a Bug Bounty Program in cooperation with Bugcrowd for AXIS OS-based products. Axis welcomes interested security researchers and ethical hackers for participation in the bug bounty program. Please request participation through the vulnerability reporting process. Other Axis products, software and services are currently not in scope. Security researchers and ethical hackers may be named in security advisories and the Hall of Fame to provide appropriate credit for their findings.

Disclosing vulnerabilities

After the reported findings have been investigated and validated to be a legitimate vulnerability, Axis assigns a CVE ID to the vulnerability and initiates the responsible disclosure process. Axis strives to collaborate with the researcher on further details, such as the CVSSv3.1 score, the content of the security advisory and/or the press releases (if applicable), and the date for the external disclosure.

After alignment between Axis and the researcher, the vulnerability will be externally disclosed by Axis submitting the CVE ID to MITRE and by publishing the security advisory and/or press release.

Out-of-scope vulnerabilities

Some vulnerabilities are out-of-scope for the Axis vulnerability management policy. Please do not submit reports on out-of-scope vulnerabilities in the list below to product-security@axis.com.

  • DLL-hijacking/DLL-sideloading vulnerabilities in Axis software applications that are running on Microsoft Windows OS. For more information, see the following article.

  • Vulnerabilities requiring high privileges and/or social engineering that are started/executed with root/administrator access and/or require complex user interactions.

  • Sub-domain takeovers such as gaining control over a host that points to a service not currently in use.

  • User misconfigurations that could be prevented by following Axis hardening guides:

  • Vulnerabilities in third party user- or partner-created content or applications, for instance ACAPs that can be uploaded and run on Axis devices.

  • Cross-site request forgery (CSRF) or cross-site scripting (XSS) vulnerabilities that trick the user into accessing a malicious website or clicking on a disguised link while accessing the web interface of Axis devices. For more information, see the following security advisory.

  • Any DoS type attack, examples of these are:

    • Resource exhaustion of a device through normal API usage with modified parameter inputs.

    • Resource exhaustion due to high frequency API calls.

    • Resource exhaustion using slowloris attacks.

  • Third party open-source vulnerabilities that are registered with a CVE ID located in software components or packages used in Axis products, software or services. Common examples of such software components are the Linux Kernel, OpenSSL, Apache, and others.

  • Missing HTTP(S) security headers such as X-Frame-Options.

  • Vulnerability reports generated by third party network security scanners.

  • Unsupported products/software/services that have reached the “Discontinued product. Online support only” phase.

Security notification service

Axis publishes guidelines, security advisories and statements on Axis Vulnerability Management Policy. Furthermore, information can be obtained by subscribing to Axis security notification service on Security notification service.

Notifications are sent out for Axis-specific vulnerabilities regardless of their CVSSv3.1 score. Notifications for relevant open-source components are sent out for vulnerabilities with CVSSv3.1 high/critical (7.0 - 10.0) score. Furthermore, vulnerabilities analyzed by Axis are documented in the AXIS OS Security Advisories.