A software vulnerability is a weakness that, if exploited, can result in a security breach and lead to loss of confidentiality, data integrity, and availability. No software is 100% vulnerability free. Managing vulnerabilities is an ongoing process involving continuous identification and patching of weaknesses.
Vulnerability management strengthens the security and reliability of Axis products and services, enabling customers to operate as securely as possible. We believe transparency in the management and disclosure of vulnerabilities strengthens security and accountability, helping to reduce risks and build trust.
No software is completely free of errors or bugs, so the existence of vulnerabilities doesn’t say much about the quality of a product or vendor. What matters more is the approach a vendor takes to managing vulnerabilities. At Axis, we take a proactive approach, finding and fixing vulnerabilities throughout the lifecycle of our products. To minimize errors from the start, we incorporate security activities into our development process. After a release, we cooperate openly with external parties to manage and fix newly discovered vulnerabilities and apply a responsible disclosure process.
These efforts are outlined and guided by the Axis Security Development Model (ASDM) which is described further down this page.
Another frequent misperception is that disclosing vulnerabilities allows hackers to freely exploit them – and that, therefore, they shouldn’t be disclosed. When we disclose vulnerabilities through Axis security advisories, we provide a bare minimum of details. This protects customers by minimizing the risk of an attacker exploiting a vulnerability. We aim to provide a patch for a vulnerability before we disclose it.
Since 2015, Axis has been developing processes and tools for vulnerability management. Because vulnerability management is a never-ending journey, we constantly strive to improve our processes in keeping with industry best practices. To identify, patch and disclose vulnerabilities, we cooperate transparently and responsibly in a coordinated way with external parties like researchers, ethical hackers, end customers, and partners. Because we follow best practices for coordinated vulnerability disclosure, vulnerabilities can be safely reported to us.
2016 - We publicly disclosed patched vulnerabilities.
2017 - We designed the Axis Security Development Model (ASDM). ASDM ensures that cybersecurity considerations are integrated into the lifecycle of Axis products and solutions.
2020 - We conducted our first external penetration test.
2021 - We created the Axis Vulnerability Management Policy. It outlines how vulnerabilities are managed in our products and services and what can be expected from Axis as a trusted vendor.
2021 - In April we joined the Common Vulnerabilities and Exposures program (CVE) and became a CVE Numbering Authority (CNA). We disclose vulnerabilities through CVE IDs and follow the best-practices framework outlined by the CVE program.
2022 - In December we launched a private bug bounty program in partnership with Bugcrowd for AXIS OS-based network products.
2023 - We published the Axis cybersecurity framework. It outlines Axis processes and procedures in place to continuously address security-related risks, both in our company’s IT infrastructure and our product offerings.
The purpose of ASDM is to reduce vulnerabilities and development costs by providing guidance and establishing a baseline for cybersecurity. We developed ASDM ourselves to suit our products and services. It helps us to proactively find and eliminate thousands of vulnerabilities before product release and to continue to address vulnerabilities throughout the product lifecycle. Our aim is to improve cybersecurity – not just to comply with processes or certification requirements. So, Axis development teams decide which activities to engage in depending on the kind of software they are developing.
Our bug bounty programs with Bugcrowd help us significantly strengthen the security of our products and solutions by providing access to a global community of trusted researchers and ethical hackers. When a vulnerability is identified, we provide a cash reward (a bounty). The amount of the reward depends on the severity of the vulnerability. We regularly review the amount of our cash rewards to keep our programs attractive and competitive.
Many of our CVE disclosures are the result of findings from an Axis bug bounty program.
External penetration tests provide insight and assurance regarding the security of a product at a particular point in time. They are conducted by specialist third-party companies on a yearly basis. For client statements, please visit the cybersecurity resources page.
Axis provides software that makes it easier for customers to roll out vulnerability patches and new software versions with security updates to many different devices. Axis video management software like AXIS Companion, AXIS Camera Station, and partner video management software like Milestone XProtect® and Genetec™ Security Center, alert users to new AXIS OS versions for products in operation. AXIS Device Manager and AXIS Device Manager Extend also provide alerts, and, among other things, enable customers to update the operating system of multiple devices at once.
To help strengthen security, please share findings and discoveries with us. Sensitive content can be encrypted using our public PGP key.
Axis documents and transparently discloses vulnerabilities that are specific to Axis products and AXIS OS components.
Axis provides a notification service for information about vulnerabilities and other security-related matters for Axis products.
In the Axis security hall of fame, we recognize the contributions of independent researchers and companies who collaborate with us to keep Axis customers safe.
Securing better cyber protection together.
At a glance, access a host of cybersecurity resources, including hardening guides and policy documents.