Marta Rybczynska
@mrybczyn.bsky.social
Talking about open source security & tech. Founder of Ygreky https://ygreky.com/
Under the #CRA (Cyber Resilience Act), manufacturers must report actively exploited vulnerabilities and serious security incidents.
How? Through the Single Reporting Platform.
Starting when? September 11, 2026. Yes, this year.
Link to the FAQ: www.enisa.europa.eu/topics/produ...
How? Through the Single Reporting Platform.
Starting when? September 11, 2026. Yes, this year.
Link to the FAQ: www.enisa.europa.eu/topics/produ...
February 15, 2026 at 11:17 AM
Under the #CRA (Cyber Resilience Act), manufacturers must report actively exploited vulnerabilities and serious security incidents.
How? Through the Single Reporting Platform.
Starting when? September 11, 2026. Yes, this year.
Link to the FAQ: www.enisa.europa.eu/topics/produ...
How? Through the Single Reporting Platform.
Starting when? September 11, 2026. Yes, this year.
Link to the FAQ: www.enisa.europa.eu/topics/produ...
What does your factory reset actually wipe? Have you ever checked?
A device leaves your factory. Years later, it is resold, returned, or thrown away. And yet, on many products, sensitive data is still there.
All of our challenges: ygreky.com/challenge/
A device leaves your factory. Years later, it is resold, returned, or thrown away. And yet, on many products, sensitive data is still there.
All of our challenges: ygreky.com/challenge/
December 30, 2025 at 11:41 AM
What does your factory reset actually wipe? Have you ever checked?
A device leaves your factory. Years later, it is resold, returned, or thrown away. And yet, on many products, sensitive data is still there.
All of our challenges: ygreky.com/challenge/
A device leaves your factory. Years later, it is resold, returned, or thrown away. And yet, on many products, sensitive data is still there.
All of our challenges: ygreky.com/challenge/
Today is Thursday, the day of the Embedded Security Challenge.
Your task for this week: review the "private" networks your devices rely on. Are they truly private? And even if they are, how do you protect the device when someone plugs a modem into the network?
Your task for this week: review the "private" networks your devices rely on. Are they truly private? And even if they are, how do you protect the device when someone plugs a modem into the network?
December 11, 2025 at 7:00 AM
Today is Thursday, the day of the Embedded Security Challenge.
Your task for this week: review the "private" networks your devices rely on. Are they truly private? And even if they are, how do you protect the device when someone plugs a modem into the network?
Your task for this week: review the "private" networks your devices rely on. Are they truly private? And even if they are, how do you protect the device when someone plugs a modem into the network?
The Yocto Project Virtual Summit 2025.12 wrapped up last week with three days of great content. The new security track worked especially well (in my opinion), with strong interest in CVE-related tooling, secure boot, and vulnerability reporting.
ygreky.com/2025/12/yoct...
ygreky.com/2025/12/yoct...
December 10, 2025 at 6:13 AM
The Yocto Project Virtual Summit 2025.12 wrapped up last week with three days of great content. The new security track worked especially well (in my opinion), with strong interest in CVE-related tooling, secure boot, and vulnerability reporting.
ygreky.com/2025/12/yoct...
ygreky.com/2025/12/yoct...
Solid embedded teams keep track of everything they deliver: hardware, software, and configuration. Every time they deliver.
👉 The Embedded Security Challenge for this week: create or review your release storage. Make sure every single component you ship is recorded and stored.
👉 The Embedded Security Challenge for this week: create or review your release storage. Make sure every single component you ship is recorded and stored.
December 8, 2025 at 6:40 AM
Solid embedded teams keep track of everything they deliver: hardware, software, and configuration. Every time they deliver.
👉 The Embedded Security Challenge for this week: create or review your release storage. Make sure every single component you ship is recorded and stored.
👉 The Embedded Security Challenge for this week: create or review your release storage. Make sure every single component you ship is recorded and stored.
We are running research on what embedded developers actually need for vuln management, which tools they use today, and which ones they would like to use in the future. The survey is open until the end of December 2025, and the results will be published in January.
docs.google.com/forms/d/e/1F...
docs.google.com/forms/d/e/1F...
Next generation vulnerability checking and management tool for embedded - survey
This form aims at collecting requirements and needs of all interested developers and embedded companies to find out what the exact needs in the field are.
Thank you!
docs.google.com
December 4, 2025 at 7:01 AM
We are running research on what embedded developers actually need for vuln management, which tools they use today, and which ones they would like to use in the future. The survey is open until the end of December 2025, and the results will be published in January.
docs.google.com/forms/d/e/1F...
docs.google.com/forms/d/e/1F...
I am happy to announce two upcoming webinars on the Cyber Resilience Act for embedded developers. Many of you have asked for a condensed overview of the CRA and an update on where things stand after the recent waves of public reviews. Here it comes. All details here: ygreky.com/2025/12/unde...
Understanding the Cyber Resilience Act – Ygreky
ygreky.com
December 1, 2025 at 7:50 PM
I am happy to announce two upcoming webinars on the Cyber Resilience Act for embedded developers. Many of you have asked for a condensed overview of the CRA and an update on where things stand after the recent waves of public reviews. Here it comes. All details here: ygreky.com/2025/12/unde...
On June 3rd and 10th with my colleagues from the Eclipse Foundation we will be running a free security training on vulnerability management and related subject.
More details and registration links on blogs.eclipse.org/post/marta-r...
More details and registration links on blogs.eclipse.org/post/marta-r...
Announcing Security Training on Vulnerability Management, SBOM and related subjects
Do you want to know more about
blogs.eclipse.org
May 30, 2025 at 3:35 PM
On June 3rd and 10th with my colleagues from the Eclipse Foundation we will be running a free security training on vulnerability management and related subject.
More details and registration links on blogs.eclipse.org/post/marta-r...
More details and registration links on blogs.eclipse.org/post/marta-r...
VulnCon is a quite unique conference focus on software (and not only) vulnerability management. It is happening at the beginning of April and I will be speaking twice.
March 14, 2025 at 3:23 PM
VulnCon is a quite unique conference focus on software (and not only) vulnerability management. It is happening at the beginning of April and I will be speaking twice.
We're organizing a BoF on the CRA (Cyber Resilience Act) conformance by embedded vendors on Sunday 2nd February 2025 at FOSDEM! Join us at 14h in H.3244.
It is for:
- embedded developers (Linux or any RTOS)
- people working for "manufacturers"
The schedule: fosdem.org/2025/schedul...
It is for:
- embedded developers (Linux or any RTOS)
- people working for "manufacturers"
The schedule: fosdem.org/2025/schedul...
fosdem.org
January 29, 2025 at 11:15 AM
We're organizing a BoF on the CRA (Cyber Resilience Act) conformance by embedded vendors on Sunday 2nd February 2025 at FOSDEM! Join us at 14h in H.3244.
It is for:
- embedded developers (Linux or any RTOS)
- people working for "manufacturers"
The schedule: fosdem.org/2025/schedul...
It is for:
- embedded developers (Linux or any RTOS)
- people working for "manufacturers"
The schedule: fosdem.org/2025/schedul...
Monday morning: Last week's code is working on the first run and passing tests.
Me: There's a serious problem here, so let's plan for a week of debugging.
Me: There's a serious problem here, so let's plan for a week of debugging.
January 13, 2025 at 8:32 AM
Monday morning: Last week's code is working on the first run and passing tests.
Me: There's a serious problem here, so let's plan for a week of debugging.
Me: There's a serious problem here, so let's plan for a week of debugging.
The second week of our embedded security challenge has started.
How do attackers get into a router or an industrial device? Not by the primary function but by the web application you can use to monitor and administer the device.
Check the challenge at ygreky.com/challenge/
How do attackers get into a router or an industrial device? Not by the primary function but by the web application you can use to monitor and administer the device.
Check the challenge at ygreky.com/challenge/
January 10, 2025 at 7:37 PM
The second week of our embedded security challenge has started.
How do attackers get into a router or an industrial device? Not by the primary function but by the web application you can use to monitor and administer the device.
Check the challenge at ygreky.com/challenge/
How do attackers get into a router or an industrial device? Not by the primary function but by the web application you can use to monitor and administer the device.
Check the challenge at ygreky.com/challenge/
Embedded Security Challenge week 1 (until Jan 9, 2025): What are your product's services (applications, daemons) communicating, or potentially communicating with the Internet? Check all network interfaces. Also, check for both applications sending data and those listening.
ygreky.com/challenge/
ygreky.com/challenge/
January 8, 2025 at 3:09 PM
Embedded Security Challenge week 1 (until Jan 9, 2025): What are your product's services (applications, daemons) communicating, or potentially communicating with the Internet? Check all network interfaces. Also, check for both applications sending data and those listening.
ygreky.com/challenge/
ygreky.com/challenge/