General Security Architecture
Our security model is applied consistently across all deployment types—from single-home installations to large commercial sites—and all connection methods, including Wi-Fi, Ethernet over PLC, and 4G LTE-M.
End-to-End Encryption
All data transmissions are encrypted from start to finish, protecting communications between devices, mobile apps, and cloud services.
Role-Based Access Control
Access is restricted based on each user’s defined role, ensuring operators, administrators, and end users only reach authorized functions.
Digitally Signed Firmware
Firmware packages are encrypted and digitally signed to ensure the integrity and authenticity of software running on every device.
Secure Device Authentication
Built-in mechanisms verify the identity of devices before they connect to management platforms or receive configuration updates.
Software Development and Delivery
Compliance-Driven Software Updates
Software updates are required for compliance and are delivered via the mobile app or remote over-the-air (OTA) updates. The supplier delivers a single software package; for the standard version this is the Board software version a.b.c, which is both encrypted and signed.
Agile Development
We use agile methods with Continuous Integration (CI) and Continuous Delivery (CD) to ship secure, tested releases on a regular cadence.
Automated Testing
Fully automated testing is performed at the end of every sprint to validate functionality, security controls, and update integrity before release.
Secure Packaging
Each release is delivered as a single encrypted and signed software package to prevent tampering during distribution and installation.
Security Update Policy
| Manufacturer / Platform | Security Update Policy | Vulnerability Submission Channel |
|---|---|---|
| Soaring Sunshine Pte. Ltd. |
|
office@sgsoaring.com |
Security Advisories
Published vulnerability notices, patch information, and remediation guidance.
| CVE / ID | Title | Severity | Affected Products | Published | Status |
|---|---|---|---|---|---|
| CVE-2025-1847 | OCPP module TLS certificate verification bypass | Critical | Integrated DC v3.x, Cloud Platform | 2025-06-10 | Patched |
| CVE-2025-1623 | Web admin panel SQL injection | High | Cloud Platform ≤ 2.4.1 | 2025-05-22 | Patched |
| CVE-2025-1401 | Firmware OTA update signature validation flaw | High | AC Commercial CE v2.x | 2025-04-18 | Patched |
| CVE-2025-1189 | API unauthorized access to user information | Medium | SOARING Cloud API v1 | 2025-03-30 | Patched |
| CVE-2025-0956 | Local config interface CSRF | Medium | Integrated DC v2.x–v3.0 | 2025-02-14 | Patched |
| CVE-2025-0712 | Sensitive information in log files | Low | All product lines | 2025-01-28 | Patched |
Friendly Reminder
- Patch cycle: Security vulnerabilities are targeted for resolution within a 90-day window.
- Update delivery: Software updates are typically delivered via over-the-air (OTA) updates.
- Vulnerability disclosure: If you discover a vulnerability, please report it to the manufacturer. Disclosed vulnerabilities are posted on this website for public access.
- Official information: Refer to our News page for the latest security policies and announcements.
- Best practices: Apply updates promptly and download applications only from official sources.
Responsible Disclosure Policy
- Report vulnerabilities via the form below or email office@sgsoaring.com. Do not publicly disclose unfixed issues.
- We acknowledge reports within 48 hours and aim to release patches and advisories within 90 days.
- Do not perform destructive testing on production systems. Validate in isolated or authorized test environments only.
- Valid reports may receive optional public acknowledgment at the reporter’s request.
Report a Vulnerability
If you discover a security issue in SOARING SUNSHINE chargers, cloud services, or this website, please submit the form below or email office@sgsoaring.com.