Security Research Welcome

Vulnerability Disclosure Policy

We believe security is a collaborative effort. Help us keep ZAST.AI safe by reporting vulnerabilities responsibly.

Last Updated: December 2025

Live Disclosure Feed

Discovered by ZAST.ai

Our agent is autonomously discovering zero-days in the world's most critical open-source projects.

Server-Side Request Forgery

Apr 10, 2026

openclaw/openclaw

Sandbox Issue

Apr 23, 2026

unknown/unknown

Server-Side Request Forgery

Mar 8, 2026

xuxueli/xxl-job

Observable Response Discrepancy

Mar 24, 2026

minio/minio

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Feb 14, 2026

unknown/unknown

CWE-434 Unrestricted Upload of File with Dangerous Type

Feb 19, 2026

unknown/unknown

CWE-94 Improper Control of Generation of Code ('Code Injection')

Mar 7, 2026

unknown/unknown

CWE-94 Improper Control of Generation of Code ('Code Injection')

Jun 2, 2026

unknown/unknown

Information DisclosureTypeScript

Jan 19, 2026

birkir/prime

Denial of ServiceTypeScript

Jan 19, 2026

birkir/prime

Server-Side Request Forgery

Apr 10, 2026

openclaw/openclaw

Sandbox Issue

Apr 23, 2026

unknown/unknown

Server-Side Request Forgery

Mar 8, 2026

xuxueli/xxl-job

Observable Response Discrepancy

Mar 24, 2026

minio/minio

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Feb 14, 2026

unknown/unknown

CWE-434 Unrestricted Upload of File with Dangerous Type

Feb 19, 2026

unknown/unknown

CWE-94 Improper Control of Generation of Code ('Code Injection')

Mar 7, 2026

unknown/unknown

CWE-94 Improper Control of Generation of Code ('Code Injection')

Jun 2, 2026

unknown/unknown

Information DisclosureTypeScript

Jan 19, 2026

birkir/prime

Denial of ServiceTypeScript

Jan 19, 2026

birkir/prime

Global Vulnerability DB

Global Impact

155

Vulnerabilities Verified

Updates Every 60s

1. Introduction

At ZAST.AI, we believe that security is a collaborative effort. We value the work of security researchers and the community in helping us keep our systems and users safe. If you have identified a potential security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.

2. Scope

In Scope:

*.zast.ai
ZAST.AI official web applications and APIs

Out of Scope:

Third-party integrations or services used by ZAST.AI
Social engineering, phishing, or physical security attacks
Denial of Service (DoS/DDoS) attacks

3. Guidelines for Researchers

To encourage responsible disclosure, we ask that you:

Notify us immediately upon discovering a potential issue
Avoid harm: Do not exfiltrate data, disrupt services, or compromise user privacy
Confidentiality: Give us a reasonable timeframe to remediate the issue before making any information public
Stop testing immediately if you encounter any sensitive or personal data

4. How to Report

Please email your findings to:

security@zast.ai

Include in Your Report

• Brief description of the vulnerability
• Steps to reproduce (Proof of Concept)
• Potential impact
• Any relevant screenshots or logs

What Helps Us

• Clear, detailed descriptions
• Reproducible steps
• Evidence of the vulnerability
• Your contact information

5. Our Commitment

If you follow these guidelines, we promise to:

Acknowledge receipt of your report within 3 business days
Not pursue legal action for research conducted in good faith within this scope
Keep you updated on our progress as we investigate and fix the issue
Credit: With your permission, we are happy to acknowledge your contribution once the issue is resolved

Note: We believe in transparency and cooperation with the security community. Your responsible disclosure helps protect all ZAST.AI users. Thank you for making the internet safer.

Have Questions?

If you have any questions about our vulnerability disclosure policy, please don't hesitate to reach out.

Contact Security Team

Security Research Welcome

Vulnerability Disclosure Policy

We believe security is a collaborative effort. Help us keep ZAST.AI safe by reporting vulnerabilities responsibly.

Last Updated: December 2025

Live Disclosure Feed

Discovered by ZAST.ai

Our agent is autonomously discovering zero-days in the world's most critical open-source projects.

Server-Side Request Forgery

Apr 10, 2026

openclaw/openclaw

Sandbox Issue

Apr 23, 2026

unknown/unknown

Server-Side Request Forgery

Mar 8, 2026

xuxueli/xxl-job

Observable Response Discrepancy

Mar 24, 2026

minio/minio

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Feb 14, 2026

unknown/unknown

CWE-434 Unrestricted Upload of File with Dangerous Type

Feb 19, 2026

unknown/unknown

CWE-94 Improper Control of Generation of Code ('Code Injection')

Mar 7, 2026

unknown/unknown

CWE-94 Improper Control of Generation of Code ('Code Injection')

Jun 2, 2026

unknown/unknown

Information DisclosureTypeScript

Jan 19, 2026

birkir/prime

Denial of ServiceTypeScript

Jan 19, 2026

birkir/prime

Server-Side Request Forgery

Apr 10, 2026

openclaw/openclaw

Sandbox Issue

Apr 23, 2026

unknown/unknown

Server-Side Request Forgery

Mar 8, 2026

xuxueli/xxl-job

Observable Response Discrepancy

Mar 24, 2026

minio/minio

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Feb 14, 2026

unknown/unknown

CWE-434 Unrestricted Upload of File with Dangerous Type

Feb 19, 2026

unknown/unknown

CWE-94 Improper Control of Generation of Code ('Code Injection')

Mar 7, 2026

unknown/unknown

CWE-94 Improper Control of Generation of Code ('Code Injection')

Jun 2, 2026

unknown/unknown

Information DisclosureTypeScript

Jan 19, 2026

birkir/prime

Denial of ServiceTypeScript

Jan 19, 2026

birkir/prime

Global Vulnerability DB

Global Impact

155

Vulnerabilities Verified

Updates Every 60s

1. Introduction

2. Scope

In Scope:

*.zast.ai
ZAST.AI official web applications and APIs

Out of Scope:

Third-party integrations or services used by ZAST.AI
Social engineering, phishing, or physical security attacks
Denial of Service (DoS/DDoS) attacks

3. Guidelines for Researchers

To encourage responsible disclosure, we ask that you:

Notify us immediately upon discovering a potential issue
Avoid harm: Do not exfiltrate data, disrupt services, or compromise user privacy
Confidentiality: Give us a reasonable timeframe to remediate the issue before making any information public
Stop testing immediately if you encounter any sensitive or personal data

4. How to Report

Please email your findings to:

security@zast.ai

Include in Your Report

• Brief description of the vulnerability
• Steps to reproduce (Proof of Concept)
• Potential impact
• Any relevant screenshots or logs

What Helps Us

• Clear, detailed descriptions
• Reproducible steps
• Evidence of the vulnerability
• Your contact information

5. Our Commitment

If you follow these guidelines, we promise to:

Acknowledge receipt of your report within 3 business days
Not pursue legal action for research conducted in good faith within this scope
Keep you updated on our progress as we investigate and fix the issue
Credit: With your permission, we are happy to acknowledge your contribution once the issue is resolved

Note: We believe in transparency and cooperation with the security community. Your responsible disclosure helps protect all ZAST.AI users. Thank you for making the internet safer.

Have Questions?

If you have any questions about our vulnerability disclosure policy, please don't hesitate to reach out.

Contact Security Team