What it is
ZeroPath describes its product as an AI-native code security platform and AI-native SAST rather than a rules-only static analyzer. Its public technical overview describes a pipeline that builds source-code structure, enriches call graphs, uses AI to identify sources and sinks, runs threat-model and validation agents, and can generate patches.
For Bugflation, the important part is narrower: ZeroPath has public research posts where its scanner, AI-assisted SAST, or ZeroPath Research workflow is named in the discovery story, and several of those findings are corroborated by CVE records, GitHub security advisories, upstream releases, or patch links.
What is verified
The current ledger indexes six conservative ZeroPath entries:
- Apache NiFi CVE-2026-39816, where ZeroPath provides the discovery write-up and AI-workflow context, while Apache’s advisory, oss-security, Jira, and NVD corroborate the vulnerability, affected versions, fixed version, and reporter.
- ProFTPD CVE-2026-42167, where ZeroPath provides the discovery write-up and proof-of-concept material, while NVD and the ProFTPD fix/release trail corroborate the vulnerability and patch.
- Spinnaker CVE-2026-32604 and CVE-2026-32613, where ZeroPath provides the research write-up and AI-use context, while GitHub advisories and Spinnaker release notes corroborate the two critical RCEs.
- better-auth CVE-2025-61928, where the ZeroPath post says the scanner found the authentication-bypass bug, while GitHub and NVD corroborate the advisory, affected package, fixed version, and reporter.
- Seven FFmpeg memory-safety and protocol-logic fixes, where ZeroPath provides the AI-assisted SAST attribution and links to the upstream patch set. This is counted as one no-CVE cluster, not seven separate CVE findings.
- A sudo
exec_mailerprivilege-drop fix, where the upstream sudo commit directly credits the ZeroPath AI Security Engineer and Qualys later documents the same behavior as part of its CrackArmor AppArmor + Sudo + Postfix chain.
What is held out
ZeroPath’s public Wall of Fame is broader than this profile. It lists many fixed vulnerabilities and pending CVEs, and the ZeroPath blog also describes 170 valid curl bug reports. Those are useful context, but Bugflation does not count all of them as findings yet.
The curl work is strong evidence that maintainers found ZeroPath output useful,
but the public article mixes security issues, correctness bugs, compliance
bugs, and cleanup work. It belongs in the system profile, not as 170
vulnerability findings. The broader set of 36 sudo fixes is also held out as a
bulk count; Bugflation indexes only the exec_mailer issue because there is
direct upstream attribution and independent CrackArmor context. Currently
unpatched research, such as the public RAGFlow post, is also held until there
is maintainer acceptance, a patch, or an advisory trail.
Why it matters
ZeroPath is an example of bugflation pressure outside the frontier-model lab setting. The public record shows AI-assisted vulnerability discovery attached to real projects, real patches, and CVE-backed advisories across deployment systems, authentication libraries, media tooling, FTP infrastructure, and security utilities.
The attribution is mixed. Most entries are self-reported: ZeroPath supplies the
AI workflow claim, while independent records corroborate the vulnerability and
fix. The sudo exec_mailer entry is stronger because the upstream commit names
the ZeroPath AI Security Engineer directly. Both styles are publishable under
Bugflation’s methodology, as long as the attribution label stays honest.
Sources
- ZeroPath: How ZeroPath Works
- ZeroPath Wall of Fame
- ZeroPath: CVE-2026-39816 in Apache NiFi
- ZeroPath: CVE-2026-42167 in ProFTPD
- ZeroPath: Critical Spinnaker vulns
- ZeroPath: better-auth CVE-2025-61928
- ZeroPath: Autonomously finding 7 FFmpeg vulnerabilities with AI
- sudo commit 3e474c2: exec_mailer group and uid handling
- Qualys technical report: CrackArmor
- ZeroPath: 36 Sudo bug fixes reduce CrackArmor’s impact