About Zero Science Lab

Information Security Research
& Development Laboratory

Who we are

Zero Science Lab is an independent information security research and development laboratory, founded in 2007 in Kumanovo, Macedonia. We exist because we want to understand how things work — and how they break. Complex systems, critical infrastructure, embedded devices, networks, protocols, software running in places most people never think about. We reverse, we instrument, we fuzz, we crash. When something is not supposed to fail, we find out if that’s actually true.

What drives us

Our research has affected hundreds of millions of devices and systems worldwide. We discover zero-days because we love what we do and we replace the fear of unknown with curiosity. We don’t do this for metrics or recognition — we do it because the work matters and because we’re genuinely incapable of leaving a black box unopened. We like disruptive technologies, broken standards, and the kind of complexity that makes other people walk away.

How we operate

We maintain the strictest disclosure policy for an obvious reason: if a vendor fails to respond within a reasonable timeframe, we proceed with public disclosure. Every finding is reported responsibly, every vendor given fair opportunity. When that opportunity is ignored, transparency prevails. Client references are provided only when absolutely necessary and upon request — NDAs are standard and privacy is non-negotiable.

The team

Our team is small by design. Every member carries years of field experience across disciplines — from binary analysis and exploit development to network security, hardware research, and social engineering. There are no middlemen between you and the people doing the work. The analyst who dissects your system is the same person explaining the findings and standing behind them.

Capabilities
Reverse Engineering
Protocol Analysis
Exploit Development
Structured Fuzzing
Firmware Analysis
Malware Analysis
ICS / OT Security
Red Team Operations
Social Engineering
Secure Code Review
Security Architecture
AI & Machine Learning
Graphics Design
A/V Engineering
Animation & Game Theory
Metrics
1100+
Public Advisories
One of the largest independent vulnerability archives maintained by a single research lab.
400+
Vendors
Enterprise platforms, industrial systems, and IoT firmware across the global technology stack.
3000+
Technical Security Assessments
Hands-on offensive assessments. Every finding manually verified.
710+
CVEs
Documented vulnerabilities affecting production systems and deployed infrastructure.
1200+
Humans Trained
Offensive security, reverse engineering, and vulnerability research.
20+
Years Active
Continuous independent vulnerability research and disclosure since 2007.
Latest from the lab
Advisory
Loading…
Advisory
Loading…
Lablog
ZSL New Website Design - v3.0
29.03.2026 · Design
Paper
Project Brainfog: Beyond the Facade — Exposing Smart Giants
2025 · Document
SITE HISTORY →
Responsible Disclosure

Vulnerabilities.

    Technical Research

    Papers

    Technical papers covering vulnerability classes, exploitation techniques, protocol weaknesses, and defensive mechanisms.

    Papers & Articles
    Show-program

    Presentations

    Slides and materials from conference talks, workshops, and technical lectures.

    Slide Decks
    Offensive & Defensive

    Services

    Manual work. Original findings. Engagements are scoped individually and executed by the same experts who conduct the security assessments.

    74HC04 NE555 ATmega 328P LM358 10K 4K7 + 100u 100n 2N 3904 BC 547 GENERATOR [ click to start ]
    01 / 08
    [0x00] Penetration Testing & Red Team Operations

    Manual, intelligence-driven testing of web applications, APIs, mobile platforms, network infrastructure, wireless environments, cloud services, and embedded systems. Engagements simulate realistic adversaries using advanced penetration testing techniques, exploit development, fuzzing, and controlled red team operations.

    Every vulnerability is manually verified and analysed for practical impact. Reports are written for engineers who must fix the issues — concise, technically precise, and prioritised by real risk. Scope and engagement rules are defined before testing begins.

    [0x01] Vulnerability Research

    Targeted vulnerability research against specific products, platforms, or technologies. Work frequently focuses on firmware, proprietary protocols, management interfaces, and complex application logic where conventional testing rarely reaches.

    Research combines reverse engineering, fuzzing, and protocol analysis to uncover weaknesses through direct technical investigation. Confirmed vulnerabilities are reported to affected vendors or operators. Vendors are given time to remediate, after which technical advisories may be published.

    [0x02] Industrial & Embedded System Security

    Security assessment of industrial control systems, SCADA environments, building automation networks, PLC platforms, and operational technology infrastructure.

    Testing is conducted carefully to preserve system stability and operational availability. Work includes analysis of industrial protocols and control environments used in energy systems, transportation infrastructure, broadcast networks, and smart cities. The focus is understanding how these systems behave in production and identifying weaknesses without disrupting operations.

    [0x03] Firmware & Hardware Security Analysis

    Static and dynamic analysis of embedded firmware from routers, controllers, industrial devices, automotive modules, cameras, and IoT systems. Firmware is examined for weaknesses such as hardcoded credentials, insecure update mechanisms, outdated components, and memory corruption vulnerabilities.

    When firmware cannot be obtained through software extraction, hardware interfaces such as UART, JTAG, and flash memory access are used. Extracted systems are then analysed through emulation, instrumentation, and fuzzing to identify security flaws.

    [0x04] Source Code Review

    Manual security analysis of application and firmware source code focusing on logic flaws, authentication weaknesses, injection vulnerabilities, cryptographic misuse, and trust boundary violations.

    Reviews cover languages commonly used in modern software and embedded systems. Findings are delivered with precise technical explanation and remediation guidance so development teams can resolve vulnerabilities directly in the codebase.

    [0x05] Reverse Engineering & Malware Analysis

    Analysis of compiled software, proprietary protocols, embedded firmware, and malicious code. Reverse engineering is used to reconstruct undocumented functionality and expose unsafe or hidden behaviour within complex systems.

    Typical work includes analysing unknown binaries, documenting proprietary protocols, recovering cryptographic material from firmware, and investigating malware or exploit payloads. Static analysis, dynamic instrumentation, and custom tooling are used to understand behaviour at the lowest practical level.

    [0x06] Security Architecture Review

    Technical evaluation of system architecture and design decisions before or after deployment. This work identifies structural weaknesses that testing alone cannot detect — including trust boundaries, authentication models, update mechanisms, and protocol design.

    The objective is to help engineering teams understand where systems may fail and provide practical paths for improvement based on realistic threat scenarios.

    [0x07] Technical Security Training

    Hands-on training delivered to engineers, developers, and security teams. Courses are based on real vulnerability research and operational experience rather than theoretical material.

    Training modules commonly include vulnerability research methodology, fuzzing, reverse engineering, firmware analysis, industrial system security, exploit development fundamentals, secure programming practices, and incident response. Sessions are intentionally small to allow direct technical interaction and practical lab work.

    Enquiries: [email protected]

    Throughout

    History

    A visual archive of previous Zero Science Lab website designs since 2007.

    v1.0 — Original (2007-2010)
    ZSL v1.0 Website
    The original Zero Science Lab site. Static HTML, dark theme, early advisory archive. Status: Busy.
    v2.0 — Obscure (2010-2026)
    ZSL v2.0 Website
    Previous site. PHP-driven (security through obscurity), full advisory database, coordinated disclosure infrastructure.
    Media References & Mentions

    Coverage, references, and citations of Zero Science Lab research in the press, advisories, and academic literature.

    Captain's log

    Lablog

    Technical write-ups, research notes, and observations from ongoing work inside the lab.

    Design 29.03.2026

    ZSL New Website Design - v3.0

    After 16 years, we did it, thanks to the AI that helped speed things up when busy with other stuff in life!

    ✎ Gjoko Krstic Read more →
    Research 30.12.2025

    ICS Threat Landscape 2025 — Year in Review

    The volume of disclosed vulnerabilities in building automation, SCADA, and ICS-adjacent products reached a new high in 2025, with internet-exposed management interfaces as the dominant attack surface.

    ✎ Gjoko Krstic Read more →
    Technical 14.10.2025

    Breaking BACnet: Protocol Stack Vulnerabilities in Commercial BMS Controllers

    BACnet/IP implementations across six major vendors consistently process untrusted network input with no authentication and minimal bounds checking. WriteProperty calls modifying live setpoints with no audit trail.

    ✎ Gjoko Krstic Read more →
    Methodology 03.07.2025

    Firmware Extraction Without a Debugger: Six Approaches That Work

    From vendor update interception to SPI flash dumps and QEMU emulation. Ordered by invasiveness — UART first, chip-off BGA last.

    ✎ Gjoko Krstic Read more →
    ICS 18.04.2025

    Modbus TCP Attack Primitives: Enumeration to Coil Write

    Documenting the full attack chain against unauthenticated Modbus/TCP installations: unit enumeration, coil read, register dump, and write primitives for HMI setpoint manipulation.

    ✎ Gjoko Krstic Read more →
    Tools 07.02.2025

    zsl-fuzz: Internal Tooling for Protocol Fuzzing in OT Environments

    A walkthrough of the stateful protocol fuzzer used internally for BACnet, Modbus, and proprietary OT protocol fuzzing — without causing process disruption in live environments.

    ✎ Gjoko Krstic Read more →
    Open Research & Development

    Projects

    Selected public projects, research initiatives, and experimental work developed by the lab.

    Silly Security Inc.Fun

    Born out of ABB security research and evolved into a recurring Paged Out! magazine series showcasing silly bugs found in Cyber-physical systems.

    Segfault.mkMirror

    Macedonian mirror of PoC||GTFO magazine — the legendary hacker zine blending reverse engineering, crypto, and art in self-executing PDF issues.

    Vulnerability Scanner EngineCommercial

    Developed a security scanning engine integrated into a known commercial vulnerability scanner product. The engine contributed detection logic for a class of web application and network vulnerabilities.

    IT.mk Portal & ForumCommunity

    Long-running technical contributor to IT.mk — the primary technology forum and portal in Macedonia. Security columns, vulnerability discussions, and community advisory outreach.

    ```Aarghh!Game

    A tribute to Arnold Schwarzenegger — browser-based game built for fun.

    DeviantArt PortfolioCreative

    Gallery of book cover designs, wall fractals, publications, photography, and graphics design work.

    Custom FuzzersResearch

    Building custom fuzzers for safety instrumented systems, grammar-based protocol mutators, file format manglers, libFuzzer harnesses, syzkaller modules, and IOCTL-level kernel driver fuzzing.

    FLIR ITS Bug BountySecurity

    Inspired the bug bounty program for FLIR Intelligent Transportation Solutions, now part of Teledyne FLIR.

    iGA Istanbul Airport CSOCInfrastructure

    Developed one of the early CSOC policies and logistics frameworks for Istanbul Airport — the world's largest airport hub.

    Trojka VodkaCreative

    Produced animations and video marketing materials for the Trojka Vodka brand.

    Incapsula/Imperva WAF QuizSecurity

    Built an internal security quiz for Incapsula/Imperva employees — multiple-choice challenges on WAF bypass payloads, true negatives, and false positives.

    Abu Dhabi Police GHQ CTFChallenge

    Developed CTF challenges for Abu Dhabi Police GHQ showcased at the GITEX technology conference — boosting interest and awareness among UAE hackers and talent.

    ITSec E-zinePublishing

    Created ITSec.com.mk — the first information security e-magazine in Macedonia. No longer online, but it was one of a kind at the time.

    System Software at FEEITAcademia

    Collaborated with the university on student essay papers and provided guidance on security topics in the System Software course at the Faculty of Electrical Engineering and Information Technologies (FEIT), Ss. Cyril and Methodius University in Skopje.

    Aqtos AI & BOSSResearch

    AI security research and vulnerability advisory.

    Ashley Madison Data BreachForensics

    Post-incident forensic analysis of the Ashley Madison data breach — examining the leaked dataset, attack vectors, and impact assessment.

    Section ZeroSecurity

    An international pentesting organization. Developed bootable Security Live CDs - www.section-zero.org.

    Research Tooling

    Tools

    Security tools developed or maintained for vulnerability research, analysis, and testing.

    CleanPDFMetaUtility

    PDF metadata cleaning script for stripping identifying information from documents before publication or sharing.

    Sprite AnalyzerVisual

    Browser-based sprite sheet animation viewer and analyzer for inspecting frame sequences and timing.

    SillyEncryptCrypto

    A lightweight web-based tool for encrypting and decrypting short text messages using a passphrase. It exchanges .zsl files to keep encrypted payloads portable and simple.

    CodewordPentest

    This tool is used for pasting code with line numbers and syntax highlighting in Word.

    png2asciiVisual

    Browser-based PNG to ASCII art converter for transforming images into text-based representations.

    DNSExfilPentest

    DNS exfiltration script for testing data leakage detection capabilities via DNS query tunneling.

    WaSAPScanner

    Simple burp plugin that checks for known endpoints and misconfigurations in SAP applications.

    NCQSScanner

    nginx-conf-qs (Nginx Configuration Quick Scan) is a static security scanner designed to audit Nginx configuration files and related infrastructure code. It performs a deep inspection of configuration directories and highlights misconfigurations that weaken security across Nginx, Kubernetes, AWS environments, and YAML-based deployment files.

    ← Lablog
    Research 30.12.2025 ✎ Gjoko Krstic

    ICS Threat Landscape 2025 — Year in Review

    The volume of disclosed vulnerabilities in building automation, SCADA, and ICS-adjacent products reached a new high in 2025, with internet-exposed management interfaces as the dominant attack surface.

    ← Lablog
    Technical 14.10.2025 ✎ Gjoko Krstic

    Breaking BACnet: Protocol Stack Vulnerabilities in Commercial BMS Controllers

    BACnet/IP implementations across six major vendors consistently process untrusted network input with no authentication and minimal bounds checking. WriteProperty calls modifying live setpoints with no audit trail.

    ← Lablog
    Methodology 03.07.2025 ✎ Gjoko Krstic

    Firmware Extraction Without a Debugger: Six Approaches That Work

    From vendor update interception to SPI flash dumps and QEMU emulation. Ordered by invasiveness — UART first, chip-off BGA last.

    ← Lablog
    ICS 18.04.2025 ✎ Gjoko Krstic

    Modbus TCP Attack Primitives: Enumeration to Coil Write

    Documenting the full attack chain against unauthenticated Modbus/TCP installations: unit enumeration, coil read, register dump, and write primitives for HMI setpoint manipulation.

    ← Lablog
    Tools 07.02.2025 ✎ Gjoko Krstic

    zsl-fuzz: Internal Tooling for Protocol Fuzzing in OT Environments

    A walkthrough of the stateful protocol fuzzer used internally for BACnet, Modbus, and proprietary OT protocol fuzzing — without causing process disruption in live environments.

    Single signal

    Contact

    Email
    [email protected]
    Phone
    +389 75 290 926
    Address
    Oktomvriska Revolucija 42, 1300, Kumanovo, Republic of Macedonia
    Associate Office
    The Randstad, Netherlands
    PGP Key

    For secure communications, use our PGP key.

    Fingerprint: 2B5C 894E E3C9 49C9 81C9 420E 1C62 D520 8913 A58D RSA 4096 · Expires 24-Dec-27
    Elsewhere