Security Policy
COMPLIANCE DOCUMENTS
IN SCOPE
Any device that directly connects to the network, whether wired or wireless.
NOT IN SCOPE
Any services or systems that are hosted by third party providers or Axion Lighting owned property, services be it physical or intellectual. This includes and is not only limited to:
- Products that do not directly connect to the network such as lighting fixtures, DMX decoders, and power supplies.
- Axion Lighting web endpoints
- Social Engineering and Phishing attacks against Axion Lighting employees, contractors, customers, or support
HOW TO SUBMIT
To submit a security vulnerability, simply fill out our Contact Form and select the “Security Vulnerability” option from the drop down.
DISCLOSURE
After receiving your vulnerability report, the Axion security team will review the details and, if deemed credible, commission a fix to our remediation team. After Axion Lighting publishes the fix for the affected SKUs listed in your report, Axion Lighting will give the green light to disclose the vulnerability.
We ask that all coordinated vulnerability disclosures contain the following information:
- A link to the firmware download page containing the fixed firmware.
- A sentence or two in either the title of the disclosure or in the first few paragraphs confirming that a fix for the vulnerability is available.
- Accurate representation of the attack details per the CVSSv3 guidelines (LAN-only attacks are “Local” not “Remote”, etc.)
LEGAL STATEMENT
To encourage a healthy working relationship with the security research community, Axion Lighting promises not to engage in legal action against individuals who:
- Engage in vulnerability testing within the scope listed above.
- Perform security tests on their own Axion Lighting products.
- Perform security tests on Axion Lighting products with the consent of the owner of the product.