Software Security Update Policy

CSL Group (“CSL”) supplies critical communication and signalling products throughout the UK and Europe. This policy defines CSL’s approach to providing software and security updates throughout the supported lifetime of its products, in accordance with the UK Product Security and Telecommunications Infrastructure (PSTI) Act 2022.

This policy applies to CSL products supplied in the United Kingdom that contain software or firmware and are capable of receiving software or security updates, locally or remotely.

During the supported lifetime of a product, CSL will provide software updates where required, which may include:

  • Security updates to address identified vulnerabilities.
  • Bug fixes for critical or material defects.
  • Software improvements and, where appropriate, feature enhancements.

Security updates are prioritised where a vulnerability could impact the confidentiality, integrity, availability, safety, or resilience of the product or associated services.

Software and security updates are delivered through controlled and authorised mechanisms, which may include:

  • Secure remote update services operated by CSL.
  • Installer-authorised updates supported by CSL technical support.
  • Other CSL-approved distribution channels.

Updates are applied to ensure system integrity and service continuity.

CSL maintains processes to:

  • Receive and assess reports of potential security vulnerabilities
  • Evaluate severity and risk
  • Develop and deploy security updates or mitigations where appropriate

Vulnerabilities may be identified through internal testing, customer feedback, or responsible third-party disclosure. CSL encourages responsible reporting via its published security contact channels.

For the purposes of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022, CSL defines the defined support period as the minimum period during which CSL will provide security updates for a product.

Where a product is supplied under a recurring service or access model, the defined support period shall be the duration of the paid service, subject to a declared end-of-service date which will be communicated to customers in advance. Security updates and critical bug fixes will be provided throughout this period, or CSL will offer an alternate equivalent supported product as part of a managed migration programme.

Where a product is not supplied under a recurring service model, the defined support period shall be a minimum of five (5) years from the date of installation or supply, unless a longer period is explicitly stated in product-specific documentation.

CSL will notify customers in advance when a product is withdrawn from sale, designated end-of-support, or scheduled for service withdrawal, and will provide appropriate migration guidance where applicable.

Once the defined support period has ended, CSL is no longer obliged to provide software or security updates, and customers will be advised to migrate to a supported replacement product or service.

When a product is withdrawn from sale or designated end-of-support, CSL will:

  • Communicate withdrawal or migration plans to customers
  • Continue security support for the duration of the defined support period
  • Provide guidance on migration to supported replacement products where applicable

This policy is reviewed periodically and updated as necessary to reflect changes in legislation, regulatory guidance, or CSL product lifecycle and security management practices.

Contact us