Automatic Vulnerability Triaging
- Automatic vulnerability triaging is the automated conversion of vulnerability reports and scanner outputs into structured assessments of severity, ownership, and remediation priorities.
- It employs supervised text classification, transformer-based models, and data normalization pipelines to accurately assign vulnerabilities to developers or components.
- It integrates exploit validation, environmental context, and human oversight to enhance actionable insights and prioritize remediation in staged pipelines.
Searching arXiv for recent and directly relevant papers on automatic vulnerability triaging, severity assessment, exploit validation, and assignment. Automatic vulnerability triaging is the automated transformation of vulnerability reports, scanner findings, firmware inventories, code findings, or issue tickets into structured decisions about applicability, ownership, type, severity, impact, and remediation priority. In the literature, this includes assigning vulnerabilities to developers or components as a multi-class text classification problem, classifying weaknesses and severity directly from descriptions, filtering irrelevant findings, generating VEX-style applicability judgments, ranking risk with composite scores, mapping CVEs to ATT&CK techniques, and validating exploitability through automatically generated proofs of concept (Dipongkor et al., 2023, Torkamani et al., 31 Jan 2025, Ghosh et al., 2024, Arifin et al., 3 May 2026, Høst et al., 25 Aug 2025).
1. Conceptual scope and task formulations
A central formulation treats triage as a supervised mapping from issue text to discrete labels. In bug triaging, the input is the concatenation of Summary and Description, and the outputs are Assignee or Component; the same formulation transfers directly to vulnerability–developer assignment and vulnerability–component assignment, where the labels become security engineers, feature teams, codebase components, microservices, or applications (Dipongkor et al., 2023). This establishes automatic vulnerability triaging as a family of single-label, multi-class classification tasks over textual or text-plus-metadata inputs.
Other formulations expand the output space beyond assignment. CASEY frames triage as jointly identifying CWE categories and severity from vulnerability descriptions and code context, while VLAI predicts severity classes directly from vulnerability descriptions before official CVSS scores are available (Torkamani et al., 31 Jan 2025, Bonhomme et al., 4 Jul 2025). CVE-LLM defines the task as a mapping from an asset and a notification to VEXCategory, VEXJustification, an environmental Vector, and internal and customer comments, thereby treating triage as a structured generation problem over applicability, rationale, and context-aware risk (Ghosh et al., 2024).
A further expansion makes impact explicit. TRIAGE maps CVEs to ATT&CK techniques under the three impact phases defined in the CVE Mapping Methodology: exploitation technique, primary impact, and secondary impact (Høst et al., 25 Aug 2025). In SBOM-driven firmware triage, the task is expressed as a pipeline from extraction and normalization to SBOM generation, vulnerability mapping, and a localized risk score, while exploit-centric systems such as AXE, AutoEG, and A2 redefine triage around the question of whether a reported vulnerability is actually exploitable and what practical effect it produces (Tolay, 4 Jan 2026, Sajadi et al., 15 Feb 2026, Yang et al., 1 Apr 2026, Wang et al., 29 Aug 2025).
2. Data sources and vulnerability representation
The dominant input modality is text. VLAI uses the full vulnerability description text and reports that titles and CPE fields provide negligible gains, whereas CASEY evaluates prompts built from the NVD description alone or augmented with buggy files, methods, or hunks extracted from linked commits (Bonhomme et al., 4 Jul 2025, Torkamani et al., 31 Jan 2025). In assignment-oriented settings, the same reliance on textual issue reports appears in transformer-based bug triaging, where Summary and Description are concatenated and used to predict developers or components (Dipongkor et al., 2023).
Operational systems broaden the evidence base. AgenticVM ingests scanner outputs from Trivy, Grype, and Snyk, correlates them with NVD, EUVD, and the CISA KEV catalog, and normalizes them into a canonical vulnerability record with fields such as cve_id, description, cvss_vector, cvss_base_score, severity, source_db, scanner_origin, asset_context, and recommendation (Arifin et al., 3 May 2026). CVE-LLM uses internal notifications and evaluations together with public NVD documents, assembling 320K documents for domain adaptive pretraining and 440K instructions for supervised fine-tuning; its asset representation includes product and software names, versions, sub-organization, and lists of software components, reaching approximately 1.6K assets and 152K components (Ghosh et al., 2024).
In software supply-chain settings, representation becomes SBOM-centric. The IoT firmware pipeline extracts Linux-based firmware with binwalk, normalizes filesystems, generates CycloneDX JSON SBOMs with Syft, and maps components through PURLs, CPEs, filename heuristics, and hashes to vulnerabilities from Grype, OSV-Scanner, NVD, GitHub Advisory Database, EPSS, and KEV (Tolay, 4 Jan 2026). The same literature emphasizes uncertainty markers such as the placeholder 0.0.0-unknown when stripped binaries or static linking prevent reliable version inference (Tolay, 4 Jan 2026).
Training data quality is itself a triage problem. CleanVul shows that vulnerability datasets derived from vulnerability-fixing commits often contain 40% to 75% noise because all changes in a commit are labeled as vulnerability-related; VulSifter addresses this by assigning function-level scores in and combining LLM analysis with heuristics for test filtering, producing CleanVul with 11,632 functions and 90.6% Correctness at threshold 3, or 8,337 functions and 97.3% Correctness at threshold 4 (Li et al., 2024).
3. Methodological families
One major family treats triage as text classification or sequence classification. Transformer-based bug triaging fine-tunes BERT, DistilBERT, RoBERTa, ALBERT, DeBERTa, and CodeBERT with a standard sequence-classification head over the final [CLS] representation and cross-entropy loss, while maintaining TF-IDF + SVM as a strong baseline (Dipongkor et al., 2023). VLAI uses roberta-base with a linear softmax head over four severity classes and a cross-entropy objective, retrained daily on approximately 550,000 training examples (Bonhomme et al., 4 Jul 2025). CASEY uses prompt-engineered and fine-tuned GPT-3.5 models to output perfect-match and top-candidate CWEs, plus severity labels and scores, from combinations of descriptions and code context (Torkamani et al., 31 Jan 2025).
A second family is structure-aware and code-centric. AIBugHunter builds a triage pipeline for C/C++ in which LineVul first detects and localizes vulnerable lines, then a multi-objective optimization formulation jointly predicts CWE-ID and CWE-Type with a shared CodeBERT encoder and two task-specific heads, and finally a CodeBERT regression model estimates CVSS v3.1 scores (Fu et al., 2023). AutoVulnPHP uses a two-stage PHP pipeline: SIFT-VulMiner converts ASTs augmented with control-flow and data-flow edges into linearized sequences for a CodeT5 + GRU detector, SAFE-VulMiner verifies candidates with CodeBERT embeddings and a risk-biased self-attention term,
and ISAL performs localization through syntax-guided tracing, template-constrained LLM generation, and causal consistency checks (Wang et al., 7 Jan 2026). Older work on vulnerabilities found by compositional symbolic execution uses call-graph and LLVM-derived features such as node degree, distance to interface, clustering coefficient, node path length, number of vulnerabilities, infection-chain length, function size, basic-block count, and pointer parameters, then trains random forest and Naive Bayes models to predict each CVSS v3 base metric (Ognawala et al., 2018).
A third family is agentic and workflow-oriented. AgenticVM decomposes vulnerability management into Detection, Assessment, Prediction, Integration, Prioritisation, and Recommendation agents, combining rule-based logic, a BERT-small CVSS prediction model, and LLM-driven components under LangGraph orchestration (Arifin et al., 3 May 2026). AXE and AutoEG turn vulnerability validation into multi-agent exploit generation: AXE uses Strategist, Explorer, Exploiter, and PoC Gen modules under a grey-box setting with CWE and code-location hints, whereas AutoEG separates trigger-function construction from runtime exploit refinement under black-box conditions (Sajadi et al., 15 Feb 2026, Yang et al., 1 Apr 2026). A2 applies an analogous Planner–Executor–Validator pattern to Android, using multimodal tooling over UI, ICC, filesystem, and cryptographic attack surfaces (Wang et al., 29 Aug 2025).
4. Prioritization, scoring, and exploit-backed validation
Severity estimation is a core triage primitive. VLAI reports 82.8% accuracy on a held-out test set and about 85% agreement with eventual official severity on vulnerabilities that initially had no score, positioning text-only severity classification as a pre-CVSS assistant (Bonhomme et al., 4 Jul 2025). AgenticVM instead predicts the eight CVSS v3.1 base metrics with a BERT-small model and reports overall accuracy 89.3%, precision 89.3%, recall 89.4%, and F1 89.1%; once a complete vector is available, its Prioritisation Agent uses a configurable threshold, with CVSS treated as high-priority in the experiments (Arifin et al., 3 May 2026). CASEY reports 68% accuracy for CWE identification, 73.6% severity identification accuracy, and 51.2% combined accuracy for identifying both, using an augmented NVD dataset and prompt variants that include descriptions and code hunks (Torkamani et al., 31 Jan 2025).
Risk-ranking systems often augment CVSS with exploitability and context. The SBOM-driven firmware pipeline defines the Risk Priority Score as
with , , and , so that ; is set to 10 for KEV-listed vulnerabilities and otherwise equals , while 0 starts at 5 and is raised by evidence such as service configuration, init scripts, binary location, and inferred open ports (Tolay, 4 Jan 2026). CVE-LLM similarly makes context explicit by generating asset-specific environmental vectors and VEX judgments, with rule-based corrections that enforce consistency between Affected/NotAffected, VEXJustification, and vector output (Ghosh et al., 2024). TRIAGE extends prioritization from severity to adversary behavior by producing ATT&CK techniques for exploitation, primary impact, and secondary impact, enabling triage based on attacker objectives rather than CVSS alone (Høst et al., 25 Aug 2025).
Exploit confirmation provides the strongest triage signal in this literature. AXE achieves a 30% exploitation success rate on CVE-Bench, a 3x improvement over state-of-the-art black-box baselines, and produces reproducible PoC artifacts with explicit verification oracles (Sajadi et al., 15 Feb 2026). AutoEG evaluates 104 real-world vulnerabilities over 660 exploitation tasks and 55,440 exploit attempts, achieving an average success rate of 82.41%, with state-of-the-art baselines reaching only 32.88% (Yang et al., 1 Apr 2026). A2 reduces Android findings to 82 speculative vulnerability findings on Ghera, then generates working PoCs for 51 of them, and on 169 production APKs uncovers 104 true-positive zero-day vulnerabilities, 57 of which are self-validated with automatically generated PoCs (Wang et al., 29 Aug 2025). This suggests that exploit-backed validation functions as a late-stage triage mechanism that separates warnings from actionable findings.
5. Evaluation practices and representative empirical results
Evaluation protocols vary with the triage target. Assignment systems often use temporal splits: transformer-based bug triaging sorts reports chronologically, splits them into 11 folds, trains on folds 1, tests on fold 2, repeats up to 3, and averages over the 10 runs, with Top@K, MRR, Precision, Recall, F1, and paired 4-tests used to assess ranking and component assignment quality (Dipongkor et al., 2023). Ranking-based CVE→ATT&CK mapping uses MAP, Recall@10, and Recall@5, while CVE-LLM evaluates VEXCategory, VEXJustification, and vector generation with micro-F1 and comments with ROUGE-L (Høst et al., 25 Aug 2025, Ghosh et al., 2024). Code-centric systems add localization rate, MSE/MAE for CVSS regression, and Correctness for dataset curation (Fu et al., 2023, Wang et al., 7 Jan 2026, Li et al., 2024).
The literature reports a mix of component-level gains, noise reduction, and validation success. In developer/component assignment, DeBERTa is the strongest transformer and achieves the best F1 for component assignment across all four datasets, with F1 5 on Eclipse JDT, 6 on Eclipse Platform, 7 on Mozilla Core, and 8 on Mozilla SeaMonkey; however, TF-IDF + SVM remains competitive or best on some developer-assignment datasets, showing that simple baselines still matter (Dipongkor et al., 2023). AgenticVM reduces Train-Ticket scanner output from 3,983 raw detections to 155 unique CVEs and then to 82 prioritized items, corresponding to 97.9% reduction relative to the original detection count, while preserving a deterministic prioritization process (Arifin et al., 3 May 2026).
The following examples illustrate the range of reported outcomes.
| System | Triaged output | Representative reported result |
|---|---|---|
| DeBERTa bug/vulnerability assignment | Developer/component shortlist | Eclipse Platform developer assignment Top@1 9, MRR 0 (Dipongkor et al., 2023) |
| AgenticVM | Prioritized queue from scanner findings | Train Ticket: 3,983 detections 1 155 unique CVEs 2 82 prioritized (Arifin et al., 3 May 2026) |
| VLAI | Severity class from text | 82.8% test accuracy; about 85% agreement with eventual official severity (Bonhomme et al., 4 Jul 2025) |
| CASEY | CWE + severity from description/code | 68% CWE accuracy; 73.6% severity accuracy; 51.2% combined accuracy (Torkamani et al., 31 Jan 2025) |
| CVE-LLM | VEX, environmental vector, comments | VEXCategory micro-F1 3, Vector micro-F1 4 in evaluation (Ghosh et al., 2024) |
| AutoVulnPHP | Detection + localization | 99.7% detection accuracy, 99.5% F1 score, 81.0% localization rate (Wang et al., 7 Jan 2026) |
| CleanVul | Function-level curation for downstream triage | 90.6% Correctness at threshold 3; 97.3% at threshold 4 (Li et al., 2024) |
| A2 | Validated Android findings with PoCs | 78.3% coverage on Ghera; 51 validated PoCs; 104 true-positive zero-days on 169 APKs (Wang et al., 29 Aug 2025) |
These results suggest two recurring empirical patterns. First, triage quality improves substantially when systems move from flat detection to staged pipelines with filtering, ranking, and validation. Second, evaluation must distinguish between shortlist utility, exact label accuracy, and validation-backed actionability, since high-quality Top@K performance or validated PoCs can be operationally more important than exact Top-1 assignment (Dipongkor et al., 2023, Sajadi et al., 15 Feb 2026, Wang et al., 29 Aug 2025).
6. Human oversight, failure modes, and research directions
The literature consistently treats automatic vulnerability triaging as human-in-the-loop rather than fully autonomous. AgenticVM uses confidence gating for low-confidence CVSS predictions, schema validation, and approval gates, stating that “human approval remains required for destructive or production-impacting actions” (Arifin et al., 3 May 2026). CVE-LLM prioritizes expert review for Affected evaluations and applies rule-based corrections after generation, while A2 separates Planner, Executor, and Validator roles so that exploit claims are independently checked against read-only oracles (Ghosh et al., 2024, Wang et al., 29 Aug 2025).
Several failure modes recur across paradigms. In assignment settings, highly similar textual signatures induce systematic confusion between components or developers; the bug-triaging study reports positive correlation between component-text cosine similarity and confusion frequency, and shows that all models possess non-trivial orthogonality, meaning each solves some cases that others miss (Dipongkor et al., 2023). In LLM-based triage, prompt sensitivity, hallucinations, spurious entity substitutions, and degradation on long or heterogeneous inputs remain prominent; CVE-LLM reports incorrect version names and product names in generated comments, CASEY reports parent/child CWE confusions and information-deficit errors, and A2 documents hallucination-induced execution claims that require validator rejection (Ghosh et al., 2024, Torkamani et al., 31 Jan 2025, Wang et al., 29 Aug 2025). Exploit-centric systems report that many failures stem from high-level reasoning gaps rather than low-level execution, including misread vulnerability semantics, wrong attack-surface targeting, and unmet preconditions (Sajadi et al., 15 Feb 2026).
Future directions therefore concentrate on richer context, stronger grounding, and tighter integration. The literature proposes domain-adaptive pretraining on security corpora, ensembles that exploit model orthogonality, graph-based ownership or dependency models, cost-aware orchestration, end-to-end remediation pipelines, better handling of similar classes, multilingual support, and broader industrial datasets (Dipongkor et al., 2023, Ghosh et al., 2024, Arifin et al., 3 May 2026, Høst et al., 25 Aug 2025). A plausible implication is that automatic vulnerability triaging is converging toward hybrid systems in which deterministic rules, learned ranking, structured security knowledge, and exploit-backed validation are combined, with human analysts retained as the final authority over high-impact decisions.