Skip to content

Firmware update policy

Purpose and Scope

This policy defines the process and commitments for software and firmware updates for rayleighconnect™. It ensures that the product remains secure and functional over its supported life, in compliance with:

  • EU RED Article 3(3)(d)-(f)
  • UK PSTI requirements on update transparency

This applies to all software components of the product, including embedded firmware and backend/cloud services.

Update Support Commitment

Support Period

UXEON SP. Z O.O., a Rayleigh Instruments Limited subsidiary will provide security and bug-fix updates for rayleighconnect products for a minimum of 2 years from the product’s release.

  • We are committed to clearly communicating Support Period to customers.
  • End-of-support announcements will be published 6 months in advance.

See Maintenance and Security Updates for current status of products.

Frequency

  • Maintenance updates: Quarterly
  • Critical patches: As soon as possible after a vulnerability is identified

Update Delivery Mechanism

Update Method

Updates are delivered via Over-The-Air (OTA) mechanism. The gateways (devices) report their firmware versions to Cloud Platform and update instructions are issued regularly when out of date firmware is detected.

Update monitoring

To ensure stability the firmware update process logs are collected and checked by engineering team at least weekly.

Security of Updates

  • Update piepline is secured by access control mechanisms
  • Packages are digitally signed and encrypted
  • Devices verify update integrity
  • If verification fails, updates are rejected and the previous software remains

Update Servers

Updates are downloaded over encrypted communication channel from authenticated servers.

Graceful Failure & Rollback

Update failures trigger fallback to the last known good firmware. Redundancy mechanisms prevent device bricking.

Patch Management Process

Vulnerability Monitoring

We monitor for software vulnerabilities (including in third-party components; see SBOM) via internal tests and external reports.

Risk Assessment & Prioritization

  • CVSS or equivalent is used to classify severity
  • High/Critical issues are patched immediately
  • Lower-severity issues are queued for regular releases unless actively exploited

Development & Testing

  • Updates undergo unit, integration, regression, and security testing
  • Expedited test cycle used for critical patches

Release & Deployment

  • Updates are packaged and pushed through the OTA pipeline
  • Users may be notified via Cloud Platform
  • Auto-installation and reboot supported where applicable

Transparency and Communication

Public Disclosure

The update support period is disclosed on documentation website.

See Maintenance and Security Updates for current status of products.

Notifications

Users are informed via Cloud Platform with details of the update, especially if security-related.

A firmware changelog is publicy accessible.

End-of-Support Notice

At least 6 months before support ends, users are notified via Cloud Platform with guidance on next steps or security risks.

Responsibilities and Compliance

Regulatory Alignment

This policy supports:

  • ETSI EN 303 645 (Provision 5: Keep software updated)
  • EU RED Art. 3(3)(d)-(f) (network resilience, privacy, fraud prevention)
  • UK PSTI Regulations (update transparency obligation)

Record-Keeping

We retain version histories, patch logs, and issue trackers for up to 10 years, for audit and regulatory compliance.

Policy Review and Updates

This policy is reviewed annually or upon major changes to product architecture or regulations.

Updates must be approved by Management Board and redistributed to stakeholders. Updated versions are published on internal and public documentation portals.