Security & Legal
Security contact, update policy and supported product lifetime.
Report a vulnerability
If you discover a security vulnerability, please report it to us at security@connectivity-bridge.com. Please include a detailed description and steps to reproduce the issue. We will investigate and respond as quickly as possible. We appreciate responsible disclosure.
Typical initial response time: within 5 business days.
Minimum security update support
The Connectivity Bridge will receive security updates until 31 December 2032. During this period we commit to providing timely security fixes for vulnerabilities that materially impact the confidentiality, integrity or availability of the device or connected services. This minimum support duration is provided in line with ETSI EN 303 645 and the UK Product Security and Telecommunications Infrastructure (PSTI) Act.
Secure update policy
- Firmware packages are hash-verified on the device before installation. Packages that fail integrity verification are rejected.
- Updates are delivered over HTTPS from
connectivity-bridge.comusing the device trust store. - If an update download or write fails, installation is aborted and the current firmware keeps running.
- Updates can be initiated from the local device frontend. Cloud rollout controls remain part of the staged roadmap.
- Production hardening such as Secure Boot and Flash Encryption depends on the manufacturing/release profile and must be verified per production batch.
Scope and out-of-scope
In scope: the Connectivity Bridge device firmware, the local frontend served from the
device, the cloud frontend at connectivity-bridge.com, and the cloud backend API.
Out of scope: denial-of-service attacks, social engineering attacks against staff, and
reports that require physical tampering with a device that has had its onboarding seal
broken.