Fwd: SySS Responsible Disclosure Policy

Robin Trost Robin.Trost at syss.de
Fri Jun 26 14:27:58 CEST 2026 

Hi Michael,

no problem. I just asked because I didn't get a response to the first 
mail and was wondering if it reached the right people.

Thank you for looking and if you have any questions regarding the issue, 
please let me know.

Kind regards,
Robin

On 6/26/26 14:03, Michael Nazzareno Trimarchi wrote:
> Hi
> 
> I have long queue, I will take care of it, but coming out some down
> period. Please I will look in weekend,
> 
> I have already other patches to send
> 
> Michael
> 
> On Fri, Jun 26, 2026 at 12:02 PM Robin Trost <Robin.Trost at syss.de> wrote:
>>
>> Hi,
>>
>> any updates regarding the issue?
>>
>> Kind regards,
>> Robin
>>
>>
>> -------- Forwarded Message --------
>> Subject: Fwd: SySS Responsible Disclosure Policy
>> Date: Fri, 12 Jun 2026 22:47:10 +0200
>> From: Robin Trost <Robin.Trost at syss.de>
>> To: dario.binacchi at amarulasolutions.com, michael at amarulasolutions.com,
>> Tom Rini <trini at konsulko.com>, andrew.goodbody at linaro.org
>> CC: u-boot at lists.denx.de
>>
>> Hi all,
>>
>> during a recent assessment I identified a vulnerability in the OOB data
>> parsing of the NAND chip. As you are the maintainers regarding [1], I've
>> sent you the advisory advisory (SYSS-2026-038: Arbitrary OOB Heap Write)
>> including a "optional" fix and a reproducer script which illustrates
>> that the vulnerability can lead to arbitrary code execution in the sandbox.
>>
>> If you have further questions, please do not hesitate to contact me.
>>
>> Kind regards,
>> Robin
>>
>> [1] https://docs.u-boot.org/en/latest/develop/security.html
>>
>>
>> -------- Forwarded Message --------
>> Subject: SySS Responsible Disclosure Policy
>> Date: Wed, 10 Jun 2026 15:46:26 +0200
>> From: Robin Trost <Robin.Trost at syss.de>
>> To: u-boot at lists.denx.de <u-boot at lists.denx.de>
>> CC: trini at konsulko.com <trini at konsulko.com>, p_mailqueue_disclosure
>> <disclosure at syss.de>
>>
>> Hi all,
>>
>> The SySS GmbH deals with security issues in a responsible way. In the
>> form of a security advisory we report security vulnerabilities which are
>> not in products of our customers and which are not excluded from public
>> disclosure due to contractual agreements with vendors.
>>
>> The attached security advisories contain detailed information about the
>> found vulnerabilities that allows the vendor to reproduce and further
>> investigate the reported security issue. Vulnerabilities will be
>> disclosed to the public if a solution was published by the vendor or 45
>> days after the initial report by the SySS GmbH, regardless of the
>> vulnerability status, for example if there is a patch or workaround from
>> the affected vendor. In well-founded exceptional cases, this standard
>> procedure may not be followed and an alternative, adjusted publication
>> schedule will be negotiated with the vendor.
>>
>> The goal of our Responsible Disclosure Policy is, to weigh up the need
>> of the public to know of security vulnerabilities against the vendor’s
>> time to remedy all security issues effectively. The final publication
>> schedule will be based on the best interests of the community overall,
>> considering both positions. Before the responsible disclosure of a
>> security vulnerability, the SySS GmbH allows vendors the opportunity to
>> analyze reported security issues, to develop effective countermeasures,
>> and to test them thoroughly.
>>
>> If there are any further questions regarding the identified
>> vulnerabilities do not hesitate to contact me.
>>
>> Kind regards,
>> --
>> Robin Trost
>> Senior IT-Security Consultant
>> ______________________________________________________________
>>
>> SySS GmbH
>> Schaffhausenstraße 77, 72072 Tübingen, Germany
>> Tel: +49 (0)7071 - 40 78 56-6169
>> Mobil: +49 (0)151 - 42209330
>> E-Mail: Robin.Trost at syss.de
>> Conf. Calls: https://syss.zoom.us/my/robin.trost
>> Web: https://syss.de
>>
>> PGP-Fingerprint: 85FE 80E2 04F3 6177 C61A 4618 61DE F14F 698E 6EB3
>>
>> Geschäftsführer: Sebastian Schreiber
>> Registergericht: Amtsgericht Stuttgart / HRB 382420
>> Steuernummer: 86118 / 55809
> 
> 
> 

-- 
Robin Trost
Senior IT-Security Consultant
______________________________________________________________

SySS GmbH
Schaffhausenstraße 77, 72072 Tübingen, Germany
Tel: +49 (0)7071 - 40 78 56-6169
Mobil: +49 (0)151 - 42209330
E-Mail: Robin.Trost at syss.de
Conf. Calls: https://syss.zoom.us/my/robin.trost
Web: https://syss.de

PGP-Fingerprint: 85FE 80E2 04F3 6177 C61A 4618 61DE F14F 698E 6EB3

Geschäftsführer: Sebastian Schreiber
Registergericht: Amtsgericht Stuttgart / HRB 382420
Steuernummer: 86118 / 55809

More information about the U-Boot mailing list