All micropatches are digitally signed with our patch signing key before they get deployed to agents. 0patch Agent checks this signature twice: first when it downloads a micropatch (if invalid, the micropatch is discarded), and every time a micropatch is to be applied to a process (again, if invalid, it refuses to apply it).
The patch signing key is not stored on the server, so even if someone breaks into our distribution server, they won't be able to plant a micropatch that would be accepted by agents running on users' computers.
Finally, we create all micropatches in-house, so if you trust our team, you can trust our micropatches to be well-intentioned (we know a single malicious micropatch could destroy our business).
Every micropatch we issue must pass a number of criteria: effectiveness (does it actually fix the security issue?), non-maliciousness (it should do no intentional harm), security (it should not introduce new vulnerabilities), efficiency (it should solve the problem in a resource-friendly way), reviewability (it should be easy to read and understand), smallness (it should be as small as possible), and non-interference (it should not have unwanted functional side effects).