Vulnerability management | Axis Communications

Security through transparency

Why vulnerability management matters

A software vulnerability is a weakness that, if exploited, can result in a security breach and lead to loss of confidentiality, data integrity, and availability. No software is 100% vulnerability free. Managing vulnerabilities is an ongoing process involving continuous identification and patching of weaknesses.

Vulnerability management strengthens the security and reliability of Axis products and services, enabling customers to operate as securely as possible. We believe transparency in the management and disclosure of vulnerabilities strengthens security and accountability, helping to reduce risks and build trust.

Common misperceptions

Vulnerabilities don't mean bad quality

A common misperception is that vulnerabilities mean bad quality. No software is completely free of errors or bugs, so the existence of vulnerabilities doesn’t say much about the quality of a product or vendor. What matters more is the approach a vendor takes to managing vulnerabilities. At Axis, we take a proactive approach, finding and fixing vulnerabilities throughout the lifecycle of our products. To minimize errors from the start, we incorporate security activities into our development process. After a release, we cooperate openly with external parties to manage and fix newly discovered vulnerabilities and apply a responsible disclosure process.

These efforts are outlined and guided by the Axis Security Development Model (ASDM) which is described further down this page.

Disclosure doesn't lead to exploitation

Another frequent misperception is that disclosing vulnerabilities allows hackers to freely exploit them – and that, therefore, they shouldn’t be disclosed. When we disclose vulnerabilities through Axis security advisories, we provide a bare minimum of details. This protects customers by minimizing the risk of an attacker exploiting a vulnerability. We aim to provide a patch for a vulnerability before we disclose it.

Axis implements industry best practices

Since 2015, Axis has been developing processes and tools for vulnerability management. Because vulnerability management is a never-ending journey, we constantly strive to improve our processes in keeping with industry best practices. To identify, patch and disclose vulnerabilities, we cooperate transparently and responsibly in a coordinated way with external parties like researchers, ethical hackers, end customers, and partners. Because we follow best practices for coordinated vulnerability disclosure, vulnerabilities can be safely reported to us.

2016 - We publicly disclosed patched vulnerabilities.

2017 - We designed the Axis Security Development Model (ASDM). ASDM ensures that cybersecurity considerations are integrated into the lifecycle of Axis products and solutions.

2020 - We conducted our first external penetration test.

2021 - We created the Axis Vulnerability Management Policy. It outlines how vulnerabilities are managed in our products and services and what can be expected from Axis as a trusted vendor.

2021 - In April we joined the Common Vulnerabilities and Exposures program (CVE) and became a CVE Numbering Authority (CNA). We disclose vulnerabilities through CVE IDs and follow the best-practices framework outlined by the CVE program.

2022 - In December we launched a private bug bounty program in partnership with Bugcrowd for AXIS OS-based network products.

2023 - We published the Axis cybersecurity framework. It outlines Axis processes and procedures in place to continuously address security-related risks, both in our company’s IT infrastructure and our product offerings.

2024 - We turned our AXIS OS private bug bounty program into our AXIS OS public bug bounty program, which means that all security researchers and ethical hackers with a Bugcrowd account can report vulnerabilities related to AXIS OS.

2024 - We launched a new private bug bounty program for AXIS Camera Station Pro.

Axis Security Development Model (ASDM)

The purpose of ASDM is to reduce vulnerabilities and development costs by providing guidance and establishing a baseline for cybersecurity. We developed ASDM ourselves to suit our products and services. It helps us to proactively find and eliminate thousands of vulnerabilities before product release and to continue to address vulnerabilities throughout the product lifecycle. Our aim is to improve cybersecurity – not just to comply with processes or certification requirements. So, Axis development teams decide which activities to engage in depending on the kind of software they are developing.

Learn more about ASDM

Bug bounty programs with Bugcrowd

Our bug bounty programs with Bugcrowd help us significantly strengthen the security of our products and solutions by providing access to a global community of trusted researchers and ethical hackers. When a vulnerability is identified, we provide a cash reward (a bounty). The amount of the reward depends on the severity of the vulnerability. We regularly review the amount of our cash rewards to keep our programs attractive and competitive.

Many of our CVE disclosures are the result of findings from an Axis bug bounty program.

Penetration tests

External penetration tests provide insight and assurance regarding the security of a product at a particular point in time. They are conducted by specialist third-party companies on a yearly basis. For client statements, please visit the cybersecurity resources page.

Easily address vulnerabilities

Axis provides software that makes it easier for customers to roll out vulnerability patches and new software versions with security updates to many different devices. Axis video management software like AXIS Companion, AXIS Camera Station, and partner video management software like Milestone XProtect® and Genetec™ Security Center, alert users to new AXIS OS versions for products in operation. AXIS Device Manager and AXIS Device Manager Extend also provide alerts, and, among other things, enable customers to update the operating system of multiple devices at once.