Release v2025.10.07.2

Author: zast-ai

.gitlab/.gitlab-ci.yml

@@ -10,6 +10,8 @@ variables:
 release_to_github:
   stage: release
   image: alpine:latest
+  tags:
+    - bj
   rules:
     - if: $CI_COMMIT_TAG
   before_script:
@@ -18,4 +20,5 @@ release_to_github:
     - git config --global user.name "$GIT_AUTHOR_NAME"
   script:
       - chmod +x "${CI_PROJECT_DIR}/.gitlab/release.sh"
-      - "${CI_PROJECT_DIR}/.gitlab/release.sh"
+      - "${CI_PROJECT_DIR}/.gitlab/release.sh"
+  resource_group: production

_config.yml

@@ -17,11 +17,11 @@ minimal_mistakes_skin: "dark" # "air", "aqua", "contrast", "dark", "dirt", "neon
 # Site Settings
 locale: "en-US"
 rtl: # true, false (default) # turns direction of the page into right to left for RTL languages
-title: "Zast.ai"
+title: "ZAST.AI"
 title_separator: "-"
 subtitle: # site tagline that appears below site title in masthead
-name: "Zast.ai"
-description: "AI agent that can identify vulnerabilities, and verify exploitability with zero false positives."
+name: "ZAST.AI"
+description: "Leading security research lab providing AI vulnerability research agents"
 url: "https://blog.zast.ai"
 baseurl: # the subpath of your site, e.g. "/blog"
 repository: # GitHub username/repo-name e.g. "mmistakes/minimal-mistakes"

_includes/head.html

@@ -1,5 +1,5 @@
 <meta charset="utf-8" />
-
+<link rel="icon" type="image/x-icon" href="{{ '/assets/img/favicon.ico' | relative_url }}">
 {% include seo.html %} {% unless site.atom_feed.hide %}
 <link
   href="{% if site.atom_feed.path %}{{ site.atom_feed.path }}{% else %}{{ '/feed.xml' | relative_url }}{% endif %}"

_posts/2025-07-28-Introduce-Zast.ai.md

@@ -1,7 +1,7 @@
 ---
-title: "A Shared Pursuit: Introducing Zast.ai"
-description: "Introducing Zast.ai - AI agent that can identify vulnerabilities, and verify exploitability with zero false positives. Join us in making software more secure."
-keywords: "Zast.ai, AI security, vulnerability detection, zero-day vulnerabilities, application security testing, automated security, code analysis, PoC generation, cybersecurity, software security"
+title: "A Shared Pursuit: Introducing ZAST.AI"
+description: "Introducing ZAST.AI - AI agent that can identify vulnerabilities, and verify exploitability with zero false positives. Join us in making software more secure."
+keywords: "ZAST.AI, AI security, vulnerability detection, zero-day vulnerabilities, application security testing, automated security, code analysis, PoC generation, cybersecurity, software security"
 author: "Geng Yang"
 date: 2025-07-29
 categories: ["Security", "AI", "Vulnerability Assessment"]
@@ -21,7 +21,7 @@ last_modified_at: 2025-07-29
 ---
 
 **Geng Yang**  
-Co-founder & CEO, Zast.ai  
+Co-founder & CEO, ZAST.AI  
 July 28, 2025, Seattle
 
 ---
@@ -39,19 +39,19 @@ We believe that security reports are cheap. Real impact requires proof. That's w
 
 ### Performance in the Real World
 
-During its development, Zast.ai uncovered hundreds of zero-day vulnerabilities. Beginning July 14th 2025, we've been submitting these discoveries to [VulDB.com](https://vuldb.com/), an accredited CVE Numbering Authority (CNA).
+During its development, ZAST.AI uncovered hundreds of zero-day vulnerabilities. Beginning July 14th 2025, we've been submitting these discoveries to [VulDB.com](https://vuldb.com/), an accredited CVE Numbering Authority (CNA).
 
 The results of the last ten days have been humbling and affirming:
 
 - As of July 28th, we have submitted **78** vulnerabilities.
 
   ![Vulnerability submissions growth on VulDB.com]({{'/assets/img/vuldb/growth.png' | relative_url }})
 
-- This effort has made Zast.ai the **#1** global contributor to VulDB for the month of July, 2025.
+- This effort has made ZAST.AI the **#1** global contributor to VulDB for the month of July, 2025.
 
-  ![Zast.ai vulnerability submissions on VulDB.com]({{'/assets/img/vuldb/number1.png' | relative_url }})
+  ![ZAST.AI vulnerability submissions on VulDB.com]({{'/assets/img/vuldb/number1.png' | relative_url }})
 
-- In just over a week, Zast.ai has reached **#31** among all-time global contributors on [VulDB.com](https://vuldb.com/).
+- In just over a week, ZAST.AI has reached **#31** among all-time global contributors on [VulDB.com](https://vuldb.com/).
   The impact of these discoveries extends far beyond numbers. Our vulnerability findings span from critical infrastructure components to popular development tools, representing some of the most widely-used open source projects in the world.
 
   ![Star count distribution of affected repositories]({{'/assets/img/vuldb/starpie.png' | relative_url }})
@@ -62,7 +62,7 @@ We don't share these numbers to boast, but to offer as a proof of concept: that
 
 ### How It Works: A Three-Step Process
 
-Zast.ai is designed to deliver proof, not just alerts:
+ZAST.AI is designed to deliver proof, not just alerts:
 
 1. **Candidate Generation:** It analyzes target code base to identify potential vulnerability "candidates."
 2. **Automated PoC Generation:** For each candidate, it generates and executes a tailored Proof of Concept against a test environment.
@@ -72,27 +72,27 @@ Zast.ai is designed to deliver proof, not just alerts:
 
 ### How to Get Started
 
-You can integrate Zast.ai into your workflow in minutes.
+You can integrate ZAST.AI into your workflow in minutes.
 
 1. Deploy your code in a test environment or start a local debug session.
-2. Visit [https://zast.ai](https://zast.ai) and follow the on-screen instructions to create an assessment task.
+2. Visit [https://ZAST.AI](https://zast.ai) and follow the on-screen instructions to create an assessment task.
 3. You'll receive an email notification when the assessment is completed.
 
 ---
 
 ### Current Limitations
 
-Although Zast.ai is continuously improving every day, here are its current limitations:
+Although ZAST.AI is continuously improving every day, here are its current limitations:
 
-- **Languages:** Zast.ai currently supports **Java** and **JavaScript/TypeScript**. Python is next in line (in beta test), and more languages are on our roadmap.
-- **Vulnerability Types:** Zast.ai is better with grammar-based vulnerabilities. For semantic ones, it currently supports **IDOR** and certain types of **information leakage**.
-- **Resource:** Zast.ai's GPU capacity is limited (we are a small start-up). If this blog generates significant demand for audits, we'll prioritize scaling our computational resources to meet your needs. If you find your job is in the queue, thank you for your patience.
+- **Languages:** ZAST.AI currently supports **Java** and **JavaScript/TypeScript**. Python is next in line (in beta test), and more languages are on our roadmap.
+- **Vulnerability Types:** ZAST.AI is better with grammar-based vulnerabilities. For semantic ones, it currently supports **IDOR** and certain types of **information leakage**.
+- **Resource:** ZAST.AI's GPU capacity is limited (we are a small start-up). If this blog generates significant demand for audits, we'll prioritize scaling our computational resources to meet your needs. If you find your job is in the queue, thank you for your patience.
 
 ---
 
 ### The Journey Ahead
 
-We don't have all the answers. We humbly offer Zast.ai —and its findings —as a starting point and a conversation starter. Our deepest hope is that by making Zast.ai accessible, we can inspire our fellow security engineers, researchers, and builders to make our digital world more secure.
+We don't have all the answers. We humbly offer ZAST.AI —and its findings —as a starting point and a conversation starter. Our deepest hope is that by making ZAST.AI accessible, we can inspire our fellow security engineers, researchers, and builders to make our digital world more secure.
 
 ---
 

_posts/2025-07-29-How-to-Use-Zast.ai.md

@@ -1,8 +1,8 @@
 ---
-title: "How to Use Zast.ai"
-description: "Complete step-by-step guide on how to use Zast.ai for vulnerability assessment. Learn how to upload code, verify ownership, add test accounts, and get detailed security reports with zero false positives."
-keywords: "Zast.ai tutorial, vulnerability assessment guide, security testing, code upload, ownership verification, test accounts, security reports, AI security, automated vulnerability detection"
-author: "Zast.ai Team"
+title: "How to Use ZAST.AI"
+description: "Complete step-by-step guide on how to use ZAST.AI for vulnerability assessment. Learn how to upload code, verify ownership, add test accounts, and get detailed security reports with zero false positives."
+keywords: "ZAST.AI tutorial, vulnerability assessment guide, security testing, code upload, ownership verification, test accounts, security reports, AI security, automated vulnerability detection"
+author: ZAST.AI Team"
 date: 2025-07-29
 categories: ["Tutorial", "Security", "AI"]
 tags: ["vulnerability assessment", "AI security", "cybersecurity"]
@@ -11,7 +11,7 @@ header:
 last_modified_at: 2025-07-29
 ---
 
-**Zast.ai Team**,  
+**ZAST.AI Team**,  
 
 July 29, 2025, Seattle
 

_posts/2025-07-29-Vulnerability-Disclosure-Challenges-in-Open-Source-Projects.md

@@ -8,7 +8,7 @@ tags: [CVE, Formidable, SBOM, Supply Chain Security, Responsible Disclosure, npm
 ---
 
 **Chris**,  
-Co-founder, Zast.ai  
+Co-founder, ZAST.AI  
 Sep. 04, 2025, Toronto
 
 ---
@@ -196,4 +196,4 @@ Action items:
 
 Enterprises may consider evolving their open source software practices toward more active oversight and collaborative responsibility.
 
-As an automated vulnerability assessment AI agent, Zast.ai is continuously exploring effective approaches to dependency vulnerability assessment. Follow us on X <a href="https://twitter.com/zast_ai" target="_blank" rel="noopener noreferrer">@zast_ai</a> to discuss advancing software supply chain security.
+As an automated vulnerability assessment AI agent, ZAST.AI is continuously exploring effective approaches to dependency vulnerability assessment. Follow us on X <a href="https://twitter.com/zast_ai" target="_blank" rel="noopener noreferrer">@zast_ai</a> to discuss advancing software supply chain security.

_posts/2025-08-28-Finding-Zero-Day-Vulnerabilities-at-Scale.md

@@ -1,15 +1,15 @@
 ---
-title: "Finding Zero-Day Vulnerabilities at Scale: Our Journey with Zast.ai"
-description: "Learn about our journey using Zast.ai to discover hundreds of zero-day vulnerabilities across the open-source ecosystem at scale, and the challenges we faced in responsibly disclosing them."
+title: "Finding Zero-Day Vulnerabilities at Scale: Our Journey with ZAST.AI"
+description: "Learn about our journey using ZAST.AI to discover hundreds of zero-day vulnerabilities across the open-source ecosystem at scale, and the challenges we faced in responsibly disclosing them."
 author: "Chris"
 date: 2025-09-10
 categories: [Security, AI, Open Source]
-tags: [Zero-Day, Vulnerability Disclosure, Zast.ai, Log4Shell, Automation, CVE]
+tags: [Zero-Day, Vulnerability Disclosure, ZAST.AI, Log4Shell, Automation, CVE]
 hidden: false
 ---
 
 **Chris**,  
-Co-founder, Zast.ai  
+Co-founder, ZAST.AI  
 Sep. 10, 2025, Toronto
 
 ---
@@ -25,7 +25,7 @@ Our mission was ambitious: systematically assess thousands of open-source projec
 <center><em>resource: https://xkcd.com/2347/</em></center>
 <br/>
 
-To achieve this, we developed a comprehensive automation pipeline leveraging Zast.ai's capabilities:<br>
+To achieve this, we developed a comprehensive automation pipeline leveraging ZAST.AI's capabilities:<br>
 
 <center><img src="{{'/assets/img/Finding-Zero-Day-Vulnerabilities-at-Scale/b2-1.png' | relative_url }}" alt="b2-1" width="750" height="auto"></center>
 
@@ -35,19 +35,19 @@ To achieve this, we developed a comprehensive automation pipeline leveraging Zas
 
 3. **Deployment Automation**: One of the biggest challenges was automatically deploying diverse projects with varying dependencies and configurations.
 
-4. **Assessment with Zast.ai**: Each deployed project was assessed using Zast.ai to identify potential vulnerabilities.
+4. **Assessment with ZAST.AI**: Each deployed project was assessed using Zast.ai to identify potential vulnerabilities.
 
 5. **Result Aggregation**: Findings from individual assessments were collected and consolidated into comprehensive reports.
 
 ## Discovering Hundreds of Zero-Day Vulnerabilities
 
-Through our systematic approach and the power of Zast.ai, we successfully identified hundreds of zero-day vulnerabilities across a wide range of open-source projects. These findings included critical issues in popular libraries, frameworks, and tools that are integral to modern software development.
+Through our systematic approach and the power of ZAST.AI, we successfully identified hundreds of zero-day vulnerabilities across a wide range of open-source projects. These findings included critical issues in popular libraries, frameworks, and tools that are integral to modern software development.
 
 Each vulnerability was verified with a working Proof of Concept (PoC) and a demonstrated exploit, ensuring the accuracy and impact of our discoveries.
 
 <center><img src="{{'/assets/img/Finding-Zero-Day-Vulnerabilities-at-Scale/vuldb.png' | relative_url }}" alt="vuldb" width="750" height="auto"></center>
 
-Following responsible disclosure practices, we are in the process of reporting these vulnerabilities through proper channels. For a complete list of vulnerabilities discovered by [Zast.ai](https://zast.ai/){:target="_blank"}, that have completed the disclosure process, please see [https://www.cve.org/CVERecord/SearchResults?query=zast.ai](https://www.cve.org/CVERecord/SearchResults?query=zast.ai){:target="_blank"}.
+Following responsible disclosure practices, we are in the process of reporting these vulnerabilities through proper channels. For a complete list of vulnerabilities discovered by [ZAST.AI](https://zast.ai/){:target="_blank"}, that have completed the disclosure process, please see [https://www.cve.org/CVERecord/SearchResults?query=zast.ai](https://www.cve.org/CVERecord/SearchResults?query=zast.ai){:target="_blank"}.
 
 ## The Disclosure Journey: Triumphs and Tibulations
 
@@ -69,7 +69,7 @@ One particularly illustrative example of these challenges is detailed in our sep
 
 ## Looking Forward: Building a More Secure Open Source Community
 
-Our journey with Zast.ai has been both challenging and rewarding. Through automation and collaboration, we've taken significant steps toward proactively securing the open-source ecosystem. However, this is just the beginning.
+Our journey with ZAST.AI has been both challenging and rewarding. Through automation and collaboration, we've taken significant steps toward proactively securing the open-source ecosystem. However, this is just the beginning.
 
 We envision a future where:
 

_posts/2025-09-19-Vulnerability-Assessments-Without-PoC-Are-a-Waste-of-Time!.md

@@ -1,14 +1,14 @@
 ---
 title: "Vulnerability Assessments Without PoC Are a Waste of Time!"
 description: "Discover why vulnerability assessments without a Proof of Concept (PoC) are a waste of time. This article explores how AI and LLMs can automatically generate effective PoCs for vulnerabilities like SSRF and Path Injection, enabling teams to validate real risks quickly and eliminate false positives."
-author: "Zast.ai Team"
+author: "ZAST.AI Team"
 date: 2025-09-19
 categories: [Security, AI, Tech Insights]
-tags: [Vulnerability Assessment, Proof of Concept, Zast.ai, AI in Cybersecurity, LLM, SSRF, Path Injection, RCE, File Upload Vulnerability, Automated Security Testing, Application Security, Vulnerability Validation, False Positives]
+tags: [Vulnerability Assessment, Proof of Concept, ZAST.AI, AI in Cybersecurity, LLM, SSRF, Path Injection, RCE, File Upload Vulnerability, Automated Security Testing, Application Security, Vulnerability Validation, False Positives]
 hidden: false
 ---
 
-**Zast.ai Team**,  
+**ZAST.AI Team**,  
 
 Sep. 19, 2025, Seattle
 
@@ -127,7 +127,7 @@ print('Response Text:', response.text)
 
 <center><img src="{{'/assets/img/Vulnerability-Assessments-Without-PoC-Are-a-Waste-of-Time!/result.png' | relative_url }}" alt="result" width="750" height="auto"></center>
 
-From the vulnerable code and the POC, we can see that the `fileType` parameter controls the file upload type. This means that the file extension whitelist allows threat actor to modify at will. In this case, Zast.ai used a PDF file with an XSS payload to demonstrate the file upload vulnerability.
+From the vulnerable code and the POC, we can see that the `fileType` parameter controls the file upload type. This means that the file extension whitelist allows threat actor to modify at will. In this case, ZAST.AI used a PDF file with an XSS payload to demonstrate the file upload vulnerability.
 
 Next, let’s copy the POC code to our local machine for testing:
 
@@ -178,7 +178,7 @@ Finally, once added, we can manipulate the backdoor to control the target Web se
 
 <center><img src="{{'/assets/img/Vulnerability-Assessments-Without-PoC-Are-a-Waste-of-Time!/false.png' | relative_url }}" alt="false" width="750" height="auto"></center>
 
-So, by simply tweaking the POC zast.ai provided for the file upload vulnerability, we’ve easily landed an RCE vulnerability.
+So, by simply tweaking the POC ZAST.AI provided for the file upload vulnerability, we’ve easily landed an RCE vulnerability.
 
 The above examples show how well LLMs can automate POC generation. Traditional methods, on the other hand, have many challenges and limitations.