Scanner output
Suspicion is cheap
Generic tools can flag odd code paths, dangerous APIs, or broad classes of risk without proving the issue matters in the product.
RESEARCH
Published findings and disclosure-safe analysis
Research-backed vulnerability testing.
ZeroQuarry research is where validated findings become public lessons. We publish after responsible disclosure, with enough technical detail to be useful and enough restraint to protect users still updating.
feed://research
$ publish --mode responsible-disclosure
ok unpublished findings stay unnamed until fixes ship
$ derive --signals platform
ok patterns feed scanner prompts, checks, and reports
$ queue --status coordinated
ok active disclosures awaiting maintainer responses
Credibility
The platform is shaped by real findings.
The research feed is intentionally conservative. It only includes issues that are safe to discuss publicly, while the private disclosure queue continues behind the scenes.
ZeroQuarry research
Exploitability is earned
Research starts with agent discovery, then pushes toward reachable impact, disclosure evidence, patch context, and safe public explanation.
Platform feedback
Findings become coverage
Every validated pattern informs future testing: prompts, scanners, report language, confidence scoring, and evidence packet structure.
Published research
Disclosure-safe writeups.
4 published posts so far. Additional findings are in coordinated disclosure and will be added after fixes or maintainer guidance make publication appropriate.
Models and Their Capabilities
Not all AI models are equally good at security research. Some are great at spotting suspicious code, others are better at validating real vulnerabilities, and the best results often come from combining them in a multi-agent workflow.
The Future of AI Security Scanning Is Multi-Agent
In the battle of the 'frontier models' and 'bad actors', most software shops are getting caught in the middle. Multi-agent orchestration is the only viable solution to modern product security
Many serious vulnerabilities found in Obsidian's Excalidraw plugin
ZeroQuarry identified a number of serious vulnerabilities in the Excalidraw plugin. We engaged in a coordinated disclosure with Obsidian and the plugin maintainer. This writeup explains the impact, disclosure process, mitigation tradeoff, and lessons for plugin ecosystems.
RCE via Markdown in the Obsidian Tasks Plugin
ZeroQuarry identified a critical RCE path in the Obsidian Tasks plugin and coordinated disclosure with Obsidian and the plugin maintainer. This writeup explains the impact, disclosure process, mitigation tradeoff, and lessons for plugin ecosystems.
Responsible disclosure
There is a public feed and a private queue.
Not every finding belongs on the website immediately. ZeroQuarry is useful because it finds real issues quickly; publishing still follows the slower rhythm of disclosure, fixes, and user protection.
Find
Agents explore source, binaries, reachable services, trust boundaries, and product-specific behavior.
Validate
Findings are challenged for reachability, impact, affected versions, and evidence quality before disclosure.
Coordinate
Maintainers get scoped reports, patch context, and time to investigate or ship mitigations.
Publish
Writeups become public only when the disclosure posture is appropriate and the detail level is safe.
Hunting patterns
Where ZeroQuarry keeps finding weird edges.
These are the surfaces showing up repeatedly in our research and private disclosures. They are also the areas B2B product teams tend to under-test between annual scans.
Plugins
Extension ecosystems
Community plugins, app extensions, and integration points often inherit powerful permissions with inconsistent review.
Content
Markdown and templates
Rich content formats can cross from document parsing into script execution, file access, and trusted UI behavior.
Local
Desktop and local apps
Local file systems, embedded browsers, sync features, and convenience APIs create unusual trust boundaries.
APIs
Product-specific backends
The interesting bugs often live in business logic, authorization edges, request routing, and stored credentials.
AI
Agent workflows
AI features connect prompts, tools, files, secrets, and users in ways traditional scanners rarely model well.
Supply chain
Dependencies and build paths
Open-source packages, generated artifacts, and release automation become attack surface as soon as products depend on them.