Free for open source

Your project is open. Your security inbox should not be a full-time job.

Forward a vulnerability report from your maintainer inbox. ZeroQuarry checks the claim against the public repository, challenges weak evidence, and keeps the decision and follow-up in one place.

No cardNo fixed expirationOne public project

AI made reports cheaper to send, not cheaper to resolve.

A scanner output can look urgent without showing reachability, product context, or a reproduction path. The maintainer still has to work out whether anything is real.

More low-context reports

People can submit polished scanner output without knowing the repository or validating the claim.

Repeated investigation

Maintainers reconstruct the same code path, affected versions, and prior decision across issues and inbox threads.

No shared operating record

The report, technical verdict, retest, and disclosure timeline often live in different places.

Turn an incoming claim into a maintainer decision.

ZeroQuarry handles repeatable investigation and record keeping. Maintainers still control authorization, disclosure, and changes to the project.

STEP 01

Forward

Send a report from your maintainer inbox into the project's ZeroQuarry intake address.

STEP 02

Bound

Match the sender and repository against the project's approved intake rules before assessment begins.

STEP 03

Validate

Investigate the public source, test reachability, and challenge evidence that does not hold up.

STEP 04

Decide

Record whether the claim is validated, disputed, accepted, mitigated, or ready for retest.

STEP 05

Track

Keep the report, decision history, retest, disclosure timeline, and controlled evidence connected.

Everything you need to resolve the next report.

Investigate the claim, capture the decision, and keep the follow-up attached to one public project.

01

One public project

Connect a public GitHub repository and keep its security work in one place.

02

Five runs each month

Use five focused reviews or one full public-source assessment each month.

03

One maintainer

Give one account owner a clear record of reports, decisions, and follow-up.

04

Secure report intake

Forward reports through approved sender and repository rules.

05

Validation and tracking

Use adversarial review, finding lifecycle, retests, and disclosure history on the public project.

06

Controlled evidence

Keep up to three active shares with expiration, revocation, and access history.

Built for active open-source maintainers.

Qualifying is straightforward. Connect a public GitHub repository with an OSI-approved license and confirm that you are authorized to manage security work for the project.

01

The repository is public on GitHub and carries an OSI-approved open-source license.

02

You maintain the project or have clear authorization to coordinate its security work.

03

The reports and security decisions relate to that public project.

program://eligibilityeligible
PUBLICGitHub repository

Connect the source maintainers already use to investigate reports.

LICENSEOSI approved

A recognized open-source license makes qualification clear.

WORKFLOWOne project record

Keep reports, decisions, and retests connected.

no card and no trial countdown

Designed by someone who has lived on the receiving end.

ZeroQuarry's founder led product work on Elasticsearch and Kong. The program comes from seeing how much maintainer time a security report can consume before anyone knows whether the claim is real.

That is also why the product keeps skeptical validation, a visible decision trail, and controlled disclosure work around the scan itself.

Read a coordinated vulnerability investigation
maintainer://decisionreviewed
CLAIMIs the reported path actually reachable?

Follow the repository and affected configuration before assigning severity.

CHALLENGEWhat would disprove it?

Check versions, defaults, permissions, and realistic user action.

RECORDWhy did we decide?

Keep the evidence available for the next report and the eventual retest.

scanner output is the start of review, not the conclusion

Questions maintainers usually ask.

What is included in the free trial?

The 30-day trial covers one private product, 25 security runs, three collaborators, source and pull-request review, release artifacts, authorized live testing, report intake, validation, patch proposals, retests, and controlled evidence. No card is required to begin.

How does free for open source work?

Eligible maintainers receive an ongoing account for one public GitHub project with five monthly security runs, one maintainer, bounded report intake, validation, tracking, and three controlled evidence shares. The project must remain public and use an OSI-approved license.

How do we move from the trial to a paid plan?

Choose the package and billing period that fit your expected capacity, then contact ZeroQuarry to activate it. Paid-plan activation is currently assisted while self-service subscription checkout is being completed.

Which projects qualify?

The program is for public GitHub projects under an OSI-approved license. You must be a current maintainer or otherwise authorized to manage security work for the project.

Is the account really free?

Yes. There is no card and no fixed expiration while the project remains public, licensed, and eligible. The account stays within the published project, user, and monthly run limits.

Can anyone scan a public repository?

The program is intended for maintainers, not third parties creating unofficial security workspaces. Eligibility is self-attested during registration and ZeroQuarry may review the project and maintainer relationship.

Can ZeroQuarry receive reports sent to our existing security address?

Yes. A maintainer can forward reports from an approved sender into the project's bounded intake address. The project controls which senders and public repositories may start assessment work.

What happens if we need private forks or more capacity?

Private source, multiple products, live testing, more collaborators, and higher monthly capacity are available on commercial plans. The public project can remain on the open-source program while private company work moves to a paid account.

Give maintainers a better way to resolve the next report.

Connect one public project, forward the next report, and see what holds up.