Log in

Create a new account

If you don’t have a 2N Media Library account, please fill in the online registration form and apply for access.
Please note, that access to the Media Library is exclusive to authorized representatives of 2N business partners. Therefore your request will be reviewed and approved by 2N.

Select Your Region and Language

EMEA

AMER

Asia | Pacific | Australia

Vulnerability management

Transparency and proactive collaboration with our
customers are key to building trust and providing
robust security solutions.

Two smiling business colleagues collaborate while looking at a laptop in a casual office setting.

Continuous improvement

Threats are evolving just as rapidly as the technology around us: so our commitment to vulnerability management is evolving, too. We continuously improve our processes, incorporate new security practices, and update information on the latest threats to ensure our products provide the highest level of protection and safeguard privacy.

Our commitment to transparency

In 2024, 2N joined the CVE Program (Common Vulnerabilities and Exposures – see https://cve.org/) under the CNA account of our parent company, AXIS, reinforcing our commitment to openly communicating discovered vulnerabilities and the subsequent fixes we implement.

Transparency is at the core of our approach – we strive to keep our customers informed and empower them to maintain secure, up-to-date systems. With every CVE, we release detailed security advisories outlining the identified vulnerabilities, associated risks, and the measures we have taken to resolve them.

All 2N Security Advisories may be found here.

Below you can find the 2N Vulnerability Management Policy or download it here.

2N Vulnerability Management Policy

Overview

2N has implemented proven processes and procedures for managing and responding to security vulnerabilities discovered in its products. At every stage of development, the company focuses on identifying and minimizing potential vulnerabilities, thereby reducing the risk associated with deploying products in customer environments.

2N recognizes that some standard network protocols and services may have inherent weaknesses. While 2N does not take responsibility for these protocols and services, we provide recommendations on how to mitigate these risks related to 2N products. Recommended practices and settings are described in the 2N Hardening Guide, available at https://www.2n.com/en-GB/download/2n_hardening_guide_enpdf.

Scope and support duration

The vulnerability management policies described in this document apply to all currently offered products, software, services, and solutions from 2N. After the end-of-life announcement, 2N typically provides security fixes for products for five additional years. Information on the current support status of products can be found on the respective product page at www.2n.com.

Commitment

2N appreciates and supports the efforts of researchers, ethical hackers, and cybersecurity companies in identifying and reporting vulnerabilities. The company respects the interests of researchers in the vulnerability disclosure process and expects researchers not to disclose vulnerabilities before a 90-day period or a mutually agreed date and to perform research within legal boundaries, that would not cause harm, expose privacy, or compromise safety of 2N, its partners, and customers.

Vulnerability management

2N uses the CVSSv4.0 (Common Vulnerability Scoring System) for categorizing vulnerabilities. Vulnerabilities may be assessed in the context of the recommended deployment of products. Depending on the CVSS score, priority for correction will be assigned accordingly:

High/Critical (CVSS 7.0 - 10.0)
We aim to fix the vulnerability before its external disclosure or within 4 weeks after. The fix is usually released as quickly as possible

Low/Medium (CVSS 0,1 - 6,9)
Vulnerabilities with low/medium levels usually have less severe consequences for product security because they either require privileged access to the device or have limited impact on confidentiality, integrity, or availability. The fix is usually released in regularly scheduled versions

Reporting Vulnerabilities

If you discover a security vulnerability associated with a 2N product, we encourage you to report the finding immediately via the form at the following link:

https://www.2n.com/en-US/about-2n/cybersecurity/form/

The submitted data should include:

Contact information of the researcher

Technical information about the vulnerability

Steps to reproduce the vulnerability

Estimated CVSSv4.0 score rating and resulting vector string

A remediation suggestion

Own vulnerability disclosure policy, if available

You can expect the following response times from 2N:

Initial response within 2 business days of reporting

Results of the initial verification within 10 business days

Security researchers and ethical hackers may be named in security advisories and in the Hall of fame as a token of appreciation for their findings.

Disclosure Policy

After reviewing the reported findings and confirming that it is a legitimate vulnerability, 2N will assign a CVE ID to this vulnerability and initiate the process of fixing and subsequently disclosing the vulnerability. Timelines for responding to researchers and resolving vulnerabilities are outlined in the section 'Reporting Vulnerabilities' above. 2N will strive to collaborate with the researcher on further details, such as the CVSSv4.0 score, the content of the security advisory and/or press releases (if available), and the external disclosure date. After a mutual agreement between 2N and the researcher, the vulnerability will be externally disclosed through a security advisory and/or press release, typically within one month after a software update with a fix has been released.

Out-of-scope vulnerabilities

Some vulnerabilities may be out-of-scope of 2N's vulnerability management. Therefore, please do not report the following vulnerabilities:

DLL-hijacking/DLL-sideloading vulnerabilities in 2N products running on the Microsoft Windows operating system

Vulnerabilities requiring high privileges and/or social engineering that are triggered/executed with root/administrator rights and/or require complex user interactions

Subdomain takeover obtained by taking control of a host pointing to a service that is currently unused

Misconfigurations that can be avoided by following the procedures outlined in the 2N Hardening Guide or on faq.2n.com

CSRF (Cross-site request forgery) or XSS (Cross-site scripting) vulnerabilities that trick users into accessing a malicious website or clicking on a hidden link when accessing the web interface of a 2N device

All DoS attacks, examples of these attacks are:

Resource exhaustion of the device by normal use of the API interface with modified input parameters.
Resource exhaustion due to high frequency of API calls.
Resource exhaustion using slowloris attacks.

Third-party open-source vulnerabilities registered with a CVE-ID found in software components or packages used in 2N products. Examples of these components are: Linux kernel, OpenSSL, Apache, and others.

Missing HTTP(S) security headers, such as X-Frame-Options

Vulnerability reports generated by automated network security scanners

Unsupported products that are in the end-of-life phase.

Vulnerability disclosure

Vulnerabilities will be disclosed on the 2N Security Advisories website and at www.cve.org after the fix is released.

Have you noticed a cybersecurity issue? Share your findings with us.

Report a vulnerability

Blue metallic paper plane graphic on a dark gradient background.