Axis Communications approved as CVE Numbering Authority (CNA)
This will supersede Axis’ current owned ACV-numbering method (Axis critical vulnerability) to ensure vulnerability management according to industry standard practices. Customers will be able to make use of vulnerability notification services that the CVE Program offers in order to be able to quickly implement security hardening methods on Axis products and solutions.
The CVE program is well-established and many of the network security scanning tools use the CVE list as the library for their scanners. It allows companies to communicate consistent descriptions of vulnerabilities to help coordinate security efforts. This status will enable Axis to assign CVE identifiers to vulnerabilities within their own products and firmware and notify end customers of a vulnerability via their device or network scanning tool. Standardising this process further establishes Axis as a security authority.
Sebastian Hultqvist, Global Product Manager at Axis Communications commented, “Being recognised as a CNA is a testament to our ongoing work and underscores Axis’ vulnerability management and security best practices. The security of our products and solutions is always a key priority and we’re committed to working with both CVE Program and our customers to ensure that the problem-solving process for security risks is as quick and straightforward as possible.
“Bad actors won’t wait to exploit existing vulnerabilities to gain access to networks. This CNA appointment enables us to better support our customers in keeping their data safe, improve the transparency of our processes and ultimately increase trust.”
Axis’ ACV-numbering process will now be replaced by CVEs. These can be tracked in the MITRE database and further information can be found on Axis’ product security page.
CNAs are organizations responsible for the regular assignment of CVE IDs to vulnerabilities, for inclusion in first-time public announcements of new vulnerabilities. Each CNA has a specific Scope of responsibility for vulnerability identification and publishing. CNAs are the main method for requesting a CVE ID.
CVE is an international, community-based effort and relies on the community to discover vulnerabilities. The vulnerabilities are discovered then assigned and published to the CVE List.
About the CVE Program
The mission of the Common Vulnerabilities and Exposures (CVE®) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.