More low-context reports
People can submit polished scanner output without knowing the repository or validating the claim.
Forward a vulnerability report from your maintainer inbox. ZeroQuarry checks the claim against the public repository, challenges weak evidence, and keeps the decision and follow-up in one place.
A scanner output can look urgent without showing reachability, product context, or a reproduction path. The maintainer still has to work out whether anything is real.
People can submit polished scanner output without knowing the repository or validating the claim.
Maintainers reconstruct the same code path, affected versions, and prior decision across issues and inbox threads.
The report, technical verdict, retest, and disclosure timeline often live in different places.
ZeroQuarry handles repeatable investigation and record keeping. Maintainers still control authorization, disclosure, and changes to the project.
Send a report from your maintainer inbox into the project's ZeroQuarry intake address.
Match the sender and repository against the project's approved intake rules before assessment begins.
Investigate the public source, test reachability, and challenge evidence that does not hold up.
Record whether the claim is validated, disputed, accepted, mitigated, or ready for retest.
Keep the report, decision history, retest, disclosure timeline, and controlled evidence connected.
Investigate the claim, capture the decision, and keep the follow-up attached to one public project.
Connect a public GitHub repository and keep its security work in one place.
Use five focused reviews or one full public-source assessment each month.
Give one account owner a clear record of reports, decisions, and follow-up.
Forward reports through approved sender and repository rules.
Use adversarial review, finding lifecycle, retests, and disclosure history on the public project.
Keep up to three active shares with expiration, revocation, and access history.
Qualifying is straightforward. Connect a public GitHub repository with an OSI-approved license and confirm that you are authorized to manage security work for the project.
The repository is public on GitHub and carries an OSI-approved open-source license.
You maintain the project or have clear authorization to coordinate its security work.
The reports and security decisions relate to that public project.
Connect the source maintainers already use to investigate reports.
A recognized open-source license makes qualification clear.
Keep reports, decisions, and retests connected.
ZeroQuarry's founder led product work on Elasticsearch and Kong. The program comes from seeing how much maintainer time a security report can consume before anyone knows whether the claim is real.
That is also why the product keeps skeptical validation, a visible decision trail, and controlled disclosure work around the scan itself.
Read a coordinated vulnerability investigationFollow the repository and affected configuration before assigning severity.
Check versions, defaults, permissions, and realistic user action.
Keep the evidence available for the next report and the eventual retest.
The 30-day trial covers one private product, 25 security runs, three collaborators, source and pull-request review, release artifacts, authorized live testing, report intake, validation, patch proposals, retests, and controlled evidence. No card is required to begin.
Eligible maintainers receive an ongoing account for one public GitHub project with five monthly security runs, one maintainer, bounded report intake, validation, tracking, and three controlled evidence shares. The project must remain public and use an OSI-approved license.
Choose the package and billing period that fit your expected capacity, then contact ZeroQuarry to activate it. Paid-plan activation is currently assisted while self-service subscription checkout is being completed.
The program is for public GitHub projects under an OSI-approved license. You must be a current maintainer or otherwise authorized to manage security work for the project.
Yes. There is no card and no fixed expiration while the project remains public, licensed, and eligible. The account stays within the published project, user, and monthly run limits.
The program is intended for maintainers, not third parties creating unofficial security workspaces. Eligibility is self-attested during registration and ZeroQuarry may review the project and maintainer relationship.
Yes. A maintainer can forward reports from an approved sender into the project's bounded intake address. The project controls which senders and public repositories may start assessment work.
Private source, multiple products, live testing, more collaborators, and higher monthly capacity are available on commercial plans. The public project can remain on the open-source program while private company work moves to a paid account.
Connect one public project, forward the next report, and see what holds up.