Product security
Vulnerability reporting, secure updates, and minimum support period.
Report a vulnerability
If you discover a security vulnerability, please report it to us at [email protected]. Please include a detailed description and steps to reproduce the issue. We will investigate and respond as quickly as possible. We appreciate responsible disclosure.
Typical initial response time: within 5 business days.
Minimum security update support
The Connectivity Bridge will receive security updates until 31 December 2032. During this period we commit to providing timely security fixes for vulnerabilities that materially impact the confidentiality, integrity or availability of the device or connected services. This minimum support duration is provided in line with ETSI EN 303 645 and the UK Product Security and Telecommunications Infrastructure (PSTI) Act.
Secure update policy
- Firmware packages are hash-verified on the device before installation. Packages that fail integrity verification are rejected.
- Updates are delivered over HTTPS from connectivity-bridge.com using the device trust store.
- If an update download or write fails, installation is aborted and the current firmware keeps running.
- Updates can be initiated from the local device frontend. Cloud rollout controls remain part of the staged roadmap.
- Production hardening such as Secure Boot and Flash Encryption depends on the manufacturing/release profile and must be verified per production batch.
Scope and out-of-scope
In scope: the Connectivity Bridge device firmware, the local frontend served from the device, the cloud frontend at connectivity-bridge.com, and the cloud backend API. Out of scope: denial-of-service attacks, social engineering attacks against staff, and reports that require physical tampering with a device that has had its onboarding seal broken.
Legal & privacy
Privacy policy and terms of use are published on the Legal page. Documents are being finalized.