Penetration Testing & Vulnerability Disclosure Guidelines
Axon is committed to providing secure cloud services and products to the public safety community.
Axon believes a diverse security testing approach is necessary in ensuring the security of cloud services and products. As such, we encourage any security researchers, whether independent or contracted by a customer, to responsibly report to Axon's Information Security team any potential vulnerabilities that may be found in Axon's services or products. Axon is committed to working with customers and the security researcher community to validate and address reported potential vulnerabilities.
However, all security testing activities must be conducted in accordance with the requirements set below. Any violations of the below requirements without prior authorization from Axon Information Security may result in a suspension of access and legal action.
- Axon Cloud Services: Web based services developed and provided by Axon
- Axon Devices: Physical devices sold by Axon including TASER Smart Weapons, Axon Dock, Axon Cameras, and Signal Products
- Axon Cameras: Physical cameras sold by Axon includingAxon Body 2, Axon Flex 2, and Axon Fleet Cameras
- Axon Client Applications: Client software developed by Axon including Axon Capture, Axon Evidence SYNC, Axon Device Manager, Axon View, Axon Interview, Axon Commander, Axon Uploader XT, and Axon View XL
Axon Cloud Services Testing
We encourage customers to place reliance on Axon's formalized penetration testing programs. Axon coordinates frequent penetration tests of Axon Cloud Services and undergoes numerous compliance-mandated testing activities including annual FedRAMP Penetration Testing and an IT Health Check by a CHECK Service Provider.
If customers are required to execute their own penetration testing of Axon Cloud Services, such activity must be coordinated in advance with Axon Information Security. Axon will work with customers to develop and pre‑approve the testing schedule and scope. Development of a testing schedule allows Axon to monitor and differentiate potential real attacks from authorized customer testing activity. Axon will not disable any security response or protection technologies to facilitate testing activities.
Please contact Axon's Information Security team (firstname.lastname@example.org) to obtain additional details of Axon's formalized penetration testing scope, methodology, and results or to make a formal request to conduct an independent penetration test of Axon Cloud Services.
For Security Researchers
Axon does not currently provide accounts or tenants within Axon Cloud Services for research purposes. If you are interested in performing testing of Axon Cloud Services, please contact Axon's Information Security team (email@example.com).
Axon Devices and Client Applications Testing
Customers are authorized to perform testing of Axon Client Applications and Axon Devices they own. No advanced notification to Axon is required.
However, testing must be scoped only to the Axon Device or Axon Client Application itself. The testing of any Axon Device or Axon Client Application interactions with Axon Cloud Services are subject to the requirements outlined for Axon Cloud Services. Axon will not provide Axon managed credentials for any Axon Client Application or Axon Device.
For Security Researchers
Axon does not currently coordinate the provisioning of Axon Devices or Axon Client Applications to facilitate testing by the security researcher community. If a security researcher has access to an Axon Device or Axon Client Application, no advance notification to Axon is required.
However, testing must be scoped only to the Axon Device or Axon Client Application itself. The testing of any Axon Device or Axon Client Application interactions with Axon's Cloud Services are subject to the requirements outlined for Axon Cloud Services. Axon will not provide Axon managed credentials for any Axon Client Application or Axon Device.
Reporting Potential Vulnerabilities
Axon requires that customers and security researchers share testing results with Axon's Information Security team. Confirmed vulnerabilities help contribute to the collective security of Axon services and products and enable us to continuously improve our security posture.
Testing results should be transmitted to Axon's Information Security team using an encrypted communication channel. Our PGP key is available here: Axon Information Security (36A266CE) – Public
Please provide a thorough explanation of all potential vulnerabilities. We also ask that you do not disclose any vulnerability information publicly or to any third party without coordination with Axon's Information Security team.
Prohibited Testing Activities
The following conduct and activities are prohibited, regardless of testing authorization:
- Activities that disrupt, degrade or interrupt Axon services, or affect data that belongs to other users or agencies (e.g. spam, brute force attacks, malicious file distribution, denial of service or “stress testing”, indiscriminate testing approaches)
- Accessing, or attempting to access, data or information that does not belong to your user or your agency
- Moving beyond “proof of concept” reproduction steps for infrastructure execution issues (i.e. proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not).
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to your user or your agency
- Conducting any kind of physical or electronic attack on Axon personnel, property, or data centers
- Social engineering (via phone, email, in-person, or other methods) any Axon employee, contractor, facility, or other Axon Cloud service users
- Violating any laws or breaching any agreements in order to perform security research
Confirmed and discovered vulnerabilities will be remediated in accordance with Axon's vulnerability response and remediation program.
Axon Information Security will use reasonable efforts to:
- Respond in a timely manner, acknowledging receipt of your vulnerability report
- Provide an estimated time frame for addressing the vulnerability report
- Notify you when the vulnerability has been fixed