Fwd: SySS Responsible Disclosure Policy

Peter Robinson pbrobinson at gmail.com
Fri Jun 26 17:24:05 CEST 2026 

Hi Robin,

> any updates on this issue?

The disclosure policy [1] is to just post the details, including any
possible patches to resolve the issue, to the mailing list and copy
the maintainers. Please follow the policy.

Peter

[1] https://docs.u-boot-project.org/en/latest/develop/security.html

> Kind regards,
> Robin
>
>
> -------- Forwarded Message --------
> Subject: Fwd: SySS Responsible Disclosure Policy
> Date: Fri, 12 Jun 2026 22:47:14 +0200
> From: Robin Trost <Robin.Trost at syss.de>
> To: Tom Rini <trini at konsulko.com>
> CC: u-boot at lists.denx.de
>
> Hi Tom,
>
> for the advisory (SYSS-2026-039: Arbitrary OOB Heap Write / Integer
> Underflow during RSA Public Key Parsing) only you showed up as a
> maintainer ("THE REST"). Therefore I've resend you the advisory.
>
> As my last mail was already flaged by your mail provider, I've included
> only the advisory (including a PoC and a "optional" fix). If necessary,
> I can provide you a reproducer script, which illustrates arbitrary code
> execution in the sandbox (including a python script which can be used to
> build a malicious RSA public key).
>
> If you have furhter questions, just let me know.
>
> Kind regards,
> Robin
>
>
> -------- Forwarded Message --------
> Subject: SySS Responsible Disclosure Policy
> Date: Wed, 10 Jun 2026 15:46:26 +0200
> From: Robin Trost <Robin.Trost at syss.de>
> To: u-boot at lists.denx.de <u-boot at lists.denx.de>
> CC: trini at konsulko.com <trini at konsulko.com>, p_mailqueue_disclosure
> <disclosure at syss.de>
>
> Hi all,
>
> The SySS GmbH deals with security issues in a responsible way. In the
> form of a security advisory we report security vulnerabilities which are
> not in products of our customers and which are not excluded from public
> disclosure due to contractual agreements with vendors.
>
> The attached security advisories contain detailed information about the
> found vulnerabilities that allows the vendor to reproduce and further
> investigate the reported security issue. Vulnerabilities will be
> disclosed to the public if a solution was published by the vendor or 45
> days after the initial report by the SySS GmbH, regardless of the
> vulnerability status, for example if there is a patch or workaround from
> the affected vendor. In well-founded exceptional cases, this standard
> procedure may not be followed and an alternative, adjusted publication
> schedule will be negotiated with the vendor.
>
> The goal of our Responsible Disclosure Policy is, to weigh up the need
> of the public to know of security vulnerabilities against the vendor’s
> time to remedy all security issues effectively. The final publication
> schedule will be based on the best interests of the community overall,
> considering both positions. Before the responsible disclosure of a
> security vulnerability, the SySS GmbH allows vendors the opportunity to
> analyze reported security issues, to develop effective countermeasures,
> and to test them thoroughly.
>
> If there are any further questions regarding the identified
> vulnerabilities do not hesitate to contact me.
>
> Kind regards,
> --
> Robin Trost
> Senior IT-Security Consultant
> ______________________________________________________________
>
> SySS GmbH
> Schaffhausenstraße 77, 72072 Tübingen, Germany
> Tel: +49 (0)7071 - 40 78 56-6169
> Mobil: +49 (0)151 - 42209330
> E-Mail: Robin.Trost at syss.de
> Conf. Calls: https://syss.zoom.us/my/robin.trost
> Web: https://syss.de
>
> PGP-Fingerprint: 85FE 80E2 04F3 6177 C61A 4618 61DE F14F 698E 6EB3
>
> Geschäftsführer: Sebastian Schreiber
> Registergericht: Amtsgericht Stuttgart / HRB 382420
> Steuernummer: 86118 / 55809

More information about the U-Boot mailing list