Twitter / X icon
A world's leading developer of intelligent VMS and PSIM software
Where to buy
Contact Us
Home / Legal / AxxonSoft Vulnerability Disclosure Policy

AxxonSoft Vulnerability Disclosure Policy

1. Scope

This policy applies to all vulnerabilities discovered in AxxonSoft products and services, including but not limited to Axxon One, Axxon PSIM, License Server, Cloud Solutions and other components listed in our official product documentation.

2. Reporting a Vulnerability

If you believe you have found a security vulnerability in an AxxonSoft product or service, please notify us immediately by emailing security@axxonsoft.com.
We strongly encourage encryption using our PGP key.

When submitting a report, please include:

  • Product and version affected.
  • Description of the vulnerability and its potential impact.
  • Steps to reproduce (PoC if possible).
  • Suggested remediation (if known).
  • Your preferred disclosure timeline (if applicable).

3. Our Commitment and Response Timeline

  • Acknowledgment: We will confirm receipt of your report within 2 business days.
  • Triage: We will evaluate the issue within 7 business days and determine scope/severity.
  • Updates: We will provide progress updates at least every 30 days until resolution.
  • Publication: If accepted, we will assign a CVE ID and publish a CVE Record along with an AxxonSoft Security Advisory.

If a vulnerability is being actively exploited in the wild, we may accelerate this timeline.

4. What We Consider a Vulnerability

We generally recognize the following as vulnerabilities:

  • Memory safety errors, injection flaws, XSS, CSRF, privilege escalation, authentication/authorization weaknesses, insecure configurations with security impact, information disclosure, supply chain flaws directly affecting AxxonSoft products.

We generally do not consider the following as vulnerabilities:

  • Best practice or hardening suggestions without direct security impact.
  • Physical attacks, social engineering, lost/stolen devices.
  • Denial-of-service from resource exhaustion without a specific flaw.
  • Issues in end-of-life products (unless otherwise announced).
  • Vulnerabilities in third-party software not maintained by AxxonSoft.

5. CVE ID Assignment

As a CVE Numbering Authority (CNA), AxxonSoft assigns CVE IDs to validated vulnerabilities in our products.

  • A CVE ID may be reserved early during coordination and will remain RESERVED until publication.
  • Only vulnerabilities in AxxonSoft’s CNA scope are eligible. Reports outside this scope will be referred to the appropriate CNA or Root CNA.

6. Coordinated Disclosure

Our standard disclosure window is up to 90 days from acknowledgment, subject to change by mutual agreement depending on severity and complexity.
We work with researchers to coordinate public disclosure to ensure both timely fixes and reduced risk for customers.

7. Credit

With the researcher’s permission, we will acknowledge contributions in the related security advisory and CVE Record.

8. Bug Bounty

AxxonSoft currently does not operate a public bug bounty program and does not provide monetary rewards for vulnerability reports.
However, we highly value contributions from the security research community and publicly credit researchers who report issues in good faith.

9. Safe Harbor

If you follow this policy and act in good faith:

  • We will not pursue legal action against you.
  • We consider security research conducted under this policy authorized.

Good-faith research excludes activities that:

  • Involve accessing, modifying, or exfiltrating data beyond what is necessary to demonstrate the vulnerability.
  • Intentionally harm the confidentiality, integrity, or availability of AxxonSoft services or customer data.

10. Contact