Fwd: SySS Responsible Disclosure Policy

Fri Jun 26 14:03:21 CEST 2026

Hi

I have long queue, I will take care of it, but coming out some down
period. Please I will look in weekend,

I have already other patches to send

Michael

On Fri, Jun 26, 2026 at 12:02 PM Robin Trost <Robin.Trost at syss.de> wrote:
>
> Hi,
>
> any updates regarding the issue?
>
> Kind regards,
> Robin
>
>
> -------- Forwarded Message --------
> Subject: Fwd: SySS Responsible Disclosure Policy
> Date: Fri, 12 Jun 2026 22:47:10 +0200
> From: Robin Trost <Robin.Trost at syss.de>
> To: dario.binacchi at amarulasolutions.com, michael at amarulasolutions.com,
> Tom Rini <trini at konsulko.com>, andrew.goodbody at linaro.org
> CC: u-boot at lists.denx.de
>
> Hi all,
>
> during a recent assessment I identified a vulnerability in the OOB data
> parsing of the NAND chip. As you are the maintainers regarding [1], I've
> sent you the advisory advisory (SYSS-2026-038: Arbitrary OOB Heap Write)
> including a "optional" fix and a reproducer script which illustrates
> that the vulnerability can lead to arbitrary code execution in the sandbox.
>
> If you have further questions, please do not hesitate to contact me.
>
> Kind regards,
> Robin
>
> [1] https://docs.u-boot.org/en/latest/develop/security.html
>
>
> -------- Forwarded Message --------
> Subject: SySS Responsible Disclosure Policy
> Date: Wed, 10 Jun 2026 15:46:26 +0200
> From: Robin Trost <Robin.Trost at syss.de>
> To: u-boot at lists.denx.de <u-boot at lists.denx.de>
> CC: trini at konsulko.com <trini at konsulko.com>, p_mailqueue_disclosure
> <disclosure at syss.de>
>
> Hi all,
>
> The SySS GmbH deals with security issues in a responsible way. In the
> form of a security advisory we report security vulnerabilities which are
> not in products of our customers and which are not excluded from public
> disclosure due to contractual agreements with vendors.
>
> The attached security advisories contain detailed information about the
> found vulnerabilities that allows the vendor to reproduce and further
> investigate the reported security issue. Vulnerabilities will be
> disclosed to the public if a solution was published by the vendor or 45
> days after the initial report by the SySS GmbH, regardless of the
> vulnerability status, for example if there is a patch or workaround from
> the affected vendor. In well-founded exceptional cases, this standard
> procedure may not be followed and an alternative, adjusted publication
> schedule will be negotiated with the vendor.
>
> The goal of our Responsible Disclosure Policy is, to weigh up the need
> of the public to know of security vulnerabilities against the vendor’s
> time to remedy all security issues effectively. The final publication
> schedule will be based on the best interests of the community overall,
> considering both positions. Before the responsible disclosure of a
> security vulnerability, the SySS GmbH allows vendors the opportunity to
> analyze reported security issues, to develop effective countermeasures,
> and to test them thoroughly.
>
> If there are any further questions regarding the identified
> vulnerabilities do not hesitate to contact me.
>
> Kind regards,
> --
> Robin Trost
> Senior IT-Security Consultant
> ______________________________________________________________
>
> SySS GmbH
> Schaffhausenstraße 77, 72072 Tübingen, Germany
> Tel: +49 (0)7071 - 40 78 56-6169
> Mobil: +49 (0)151 - 42209330
> E-Mail: Robin.Trost at syss.de
> Conf. Calls: https://syss.zoom.us/my/robin.trost
> Web: https://syss.de
>
> PGP-Fingerprint: 85FE 80E2 04F3 6177 C61A 4618 61DE F14F 698E 6EB3
>
> Geschäftsführer: Sebastian Schreiber
> Registergericht: Amtsgericht Stuttgart / HRB 382420
> Steuernummer: 86118 / 55809

-- 
Michael Nazzareno Trimarchi
Co-Founder & Chief Executive Officer
M. +39 347 913 2170
michael at amarulasolutions.com
__________________________________

Amarula Solutions BV
Joop Geesinkweg 125, 1114 AB, Amsterdam, NL
T. +31 (0)85 111 9172
info at amarulasolutions.com
www.amarulasolutions.com