Under the #CRA (Cyber Resilience Act), manufacturers must report actively exploited vulnerabilities and serious security incidents. How? Through the Single Reporting Platform. Starting when? September 11, 2026. Yes, this year. Link to the FAQ: www.enisa.europa.eu/topics/produ...

What does your factory reset actually wipe? Have you ever checked? A device leaves your factory. Years later, it is resold, returned, or thrown away. And yet, on many products, sensitive data is still there. All of our challenges: ygreky.com/challenge/

Today is Thursday, the day of the Embedded Security Challenge. Your task for this week: review the "private" networks your devices rely on. Are they truly private? And even if they are, how do you protect the device when someone plugs a modem into the network?

The Yocto Project Virtual Summit 2025.12 wrapped up last week with three days of great content. The new security track worked especially well (in my opinion), with strong interest in CVE-related tooling, secure boot, and vulnerability reporting. ygreky.com/2025/12/yoct...

Solid embedded teams keep track of everything they deliver: hardware, software, and configuration. Every time they deliver. 👉 The Embedded Security Challenge for this week: create or review your release storage. Make sure every single component you ship is recorded and stored.

We are running research on what embedded developers actually need for vuln management, which tools they use today, and which ones they would like to use in the future. The survey is open until the end of December 2025, and the results will be published in January. docs.google.com/forms/d/e/1F...

I am happy to announce two upcoming webinars on the Cyber Resilience Act for embedded developers. Many of you have asked for a condensed overview of the CRA and an update on where things stand after the recent waves of public reviews. Here it comes. All details here: ygreky.com/2025/12/unde...

On June 3rd and 10th with my colleagues from the Eclipse Foundation we will be running a free security training on vulnerability management and related subject. More details and registration links on blogs.eclipse.org/post/marta-r...

VulnCon is a quite unique conference focus on software (and not only) vulnerability management. It is happening at the beginning of April and I will be speaking twice.

We're organizing a BoF on the CRA (Cyber Resilience Act) conformance by embedded vendors on Sunday 2nd February 2025 at FOSDEM! Join us at 14h in H.3244. It is for: - embedded developers (Linux or any RTOS) - people working for "manufacturers" The schedule: fosdem.org/2025/schedul...

Monday morning: Last week's code is working on the first run and passing tests. Me: There's a serious problem here, so let's plan for a week of debugging.

The second week of our embedded security challenge has started. How do attackers get into a router or an industrial device? Not by the primary function but by the web application you can use to monitor and administer the device. Check the challenge at ygreky.com/challenge/

Embedded Security Challenge week 1 (until Jan 9, 2025): What are your product's services (applications, daemons) communicating, or potentially communicating with the Internet? Check all network interfaces. Also, check for both applications sending data and those listening. ygreky.com/challenge/

Hello world!