Added official PAX response

Readme.md

@@ -376,6 +376,28 @@ By finding a vulnerability in a Merchant App, in `libosal.so` or in one in the k
 ## Reporting
 I tried contacting several times PAX Global via email and never got a reply related to anything: neither about the security vulneabilities, neither on inquiries about the source code for the GPL licensed software (Linux/U-Boot).
 
+### Update
+Following this public disclosure PAX got in touch with me. It turned out my previous emails on June 2020 were marked as spam and never read.
+Here's their official answer for the following two question:
+
+ * Don't you have a patch distribution method and a remediation plan for vulnerabilities in your devices? 
+
+```
+  We apply relevant security patches to all software components we use.
+
+  For vulnerabilities •Arbitrary read/write - CVE-2020-28044, •ELF signature bypass - CVE-2020-28045 and •Root privesc - CVE-2020-28046, we have fixed them these days and the firmware is under releasing.
+
+  For vulnerabilities "Dirty COW", our kernel had "Dirty COW" patch included once CVE-2016-5195 had been published.
+```
+
+ * Do you plan to release the source code, patches and build scripts for the modifications to the GPL licensed code?
+
+```
+  We certainly do comply with GPL version requirements, and had provided source code at requests before several years ago. Since we do not have automated or semi-automated procedure for that, we may need up to several weeks to review and isolate our proprietary code, and adjust the build scripts for the redaction.
+ 
+```
+
+
 ## Fun fact
 I had issues understanding the `shadow` password format:
 ```