Firmware update policy
Purpose and Scope
This policy defines the process and commitments for software and firmware updates for rayleighconnect™. It ensures that the product remains secure and functional over its supported life, in compliance with:
- EU RED Article 3(3)(d)-(f)
- UK PSTI requirements on update transparency
This applies to all software components of the product, including embedded firmware and backend/cloud services.
Update Support Commitment
Support Period
UXEON SP. Z O.O., a Rayleigh Instruments Limited subsidiary will provide security and bug-fix updates for rayleighconnect products for a minimum of 2 years from the product’s release.
- We are committed to clearly communicating Support Period to customers.
- End-of-support announcements will be published 6 months in advance.
See Maintenance and Security Updates for current status of products.
Frequency
- Maintenance updates: Quarterly
- Critical patches: As soon as possible after a vulnerability is identified
Update Delivery Mechanism
Update Method
Updates are delivered via Over-The-Air (OTA) mechanism. The gateways (devices) report their firmware versions to Cloud Platform and update instructions are issued regularly when out of date firmware is detected.
Update monitoring
To ensure stability the firmware update process logs are collected and checked by engineering team at least weekly.
Security of Updates
- Update piepline is secured by access control mechanisms
- Packages are digitally signed and encrypted
- Devices verify update integrity
- If verification fails, updates are rejected and the previous software remains
Update Servers
Updates are downloaded over encrypted communication channel from authenticated servers.
Graceful Failure & Rollback
Update failures trigger fallback to the last known good firmware. Redundancy mechanisms prevent device bricking.
Patch Management Process
Vulnerability Monitoring
We monitor for software vulnerabilities (including in third-party components; see SBOM) via internal tests and external reports.
Risk Assessment & Prioritization
- CVSS or equivalent is used to classify severity
- High/Critical issues are patched immediately
- Lower-severity issues are queued for regular releases unless actively exploited
Development & Testing
- Updates undergo unit, integration, regression, and security testing
- Expedited test cycle used for critical patches
Release & Deployment
- Updates are packaged and pushed through the OTA pipeline
- Users may be notified via Cloud Platform
- Auto-installation and reboot supported where applicable
Transparency and Communication
Public Disclosure
The update support period is disclosed on documentation website.
See Maintenance and Security Updates for current status of products.
Notifications
Users are informed via Cloud Platform with details of the update, especially if security-related.
A firmware changelog is publicy accessible.
End-of-Support Notice
At least 6 months before support ends, users are notified via Cloud Platform with guidance on next steps or security risks.
Responsibilities and Compliance
Regulatory Alignment
This policy supports:
- ETSI EN 303 645 (Provision 5: Keep software updated)
- EU RED Art. 3(3)(d)-(f) (network resilience, privacy, fraud prevention)
- UK PSTI Regulations (update transparency obligation)
Record-Keeping
We retain version histories, patch logs, and issue trackers for up to 10 years, for audit and regulatory compliance.
Policy Review and Updates
This policy is reviewed annually or upon major changes to product architecture or regulations.
Updates must be approved by Management Board and redistributed to stakeholders. Updated versions are published on internal and public documentation portals.