Vulnerability-Affected Versions Identification: How Far Are We?
This program is tentative and subject to change.
Identifying which software versions are affected by a vulnerability is critical for patching, risk mitigation. Despite a growing body of tools, their real-world effectiveness remains unclear due to narrow evaluation scopes—often limited to early SZZ variants, outdated techniques, and small or coarse-grained datasets. In this paper, we present the first comprehensive empirical study of vulnerability-affected versions identification. We curate a high-quality benchmark of 1,128 real-world C/C++ vulnerabilities and systematically evaluate 12 representative tools from both tracing and matching paradigms across four dimensions: effectiveness at both vulnerability and version levels, root causes of false positives and negatives, sensitivity to patch characteristics, and ensemble potential. Our findings reveal fundamental limitations: no tool exceeds 45.0% accuracy, with key challenges stemming from heuristic dependence, limited semantic reasoning, and rigid matching logic. Patch structures such as add-only and cross-file changes further hinder performance. Although ensemble strategies can improve results by up to 10.1%, overall accuracy remains below 60.0%, highlighting the need for fundamentally new approaches. Moreover, our study offers actionable insights to guide tool development, combination strategies, and future research in this critical area. Finally, we release the replicated code and benchmark on our website to encourage future contributions.
This program is tentative and subject to change.
Tue 18 NovDisplayed time zone: Seoul change
11:00 - 12:30 | |||
11:00 10mTalk | Vulnerability-Affected Versions Identification: How Far Are We? Research Papers Xingchu Chen Institute of Information Engineering, CAS; School of Cyber Security, UCAS, Chengwei Liu Nanyang Technological University, Jialun Cao Hong Kong University of Science and Technology, Yang Xiao Chinese Academy of Sciences, Xinyue Cai Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Yeting Li Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Jingyi Shi Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences, tianqi sun Institute of Information Engineering, Chinese Academy of Sciences, Haiming Chen Institute of Software, Chinese Academy of Sciences, Wei Huo Institute of Information Engineering at Chinese Academy of Sciences | ||
11:10 10mTalk | LOSVER: Line-Level Modifiability Signal-Guided Vulnerability Detection and Classification Research Papers Doha Nam Korea Advanced Institute of Science and Technology, Jongmoon Baik Korea Advanced Institute of Science and Technology | ||
11:20 10mTalk | VERCATION: Precise Vulnerable Open-source Software Version Identification based on Static Analysis and LLM Journal-First Track Yiran Cheng Beijing Key Laboratory of IOT Information Security Technology, Institute of Information Engineering, CAS, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China;, Ting Zhang Monash University, Lwin Khin Shar Singapore Management University, Shouguo Yang Zhongguancun Laboratory, Beijing, China, Chaopeng Dong Institute of Information Engineering, CAS, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China;, David Lo Singapore Management University, Shichao Lv Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Zhiqiang Shi Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Limin Sun Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences | ||
11:30 10mTalk | Not Every Patch is an Island: LLM-Enhanced Identification of Multiple Vulnerability Patches Research Papers Yi Song School of Computer Science, Wuhan University, Dongchen Xie School of Cyber Science and Engineering, Wuhan University, Lin Xu School of Cyber Science and Engineering, Wuhan University, He Zhang School of Computer Science, Wuhan University, Chunying Zhou School of Computer Science, Wuhan University, Xiaoyuan Xie Wuhan University | ||
11:40 10mTalk | Vul-R2: A Reasoning LLM for Automated Vulnerability Repair Research Papers Xin-Cheng Wen Harbin Institute of Technology, Zirui Lin Harbin Institute of Technology, Shenzhen, Yijun Yang Tencent AI Lab, Cuiyun Gao Harbin Institute of Technology, Shenzhen, Deheng Ye Tencent AI Lab | ||
11:50 10mTalk | DeepExploitor: LLM-Enhanced Automated Exploitation of DeepLink Attack in Hybrid Apps Research Papers Zhangyue Zhang Fudan University, Lei Zhang Fudan University, Zhibo Zhang Huazhong University of Science and Technology, Yongheng Liu Fudan University, Zhemin Yang Fudan University, Yuan Zhang Fudan University, Min Yang Fudan University | ||
12:00 10mTalk | Demystifying Cookie Sharing Risks in WebView-based Mobile App-in-app Ecosystems Research Papers Miao Zhang Beijing University of Posts and Telecommunications, Shenao Wang Huazhong University of Science and Technology, Guilin Zheng Beijing University of Posts and Telecommunications, Yanjie Zhao Huazhong University of Science and Technology, Haoyu Wang Huazhong University of Science and Technology | ||
12:10 10mTalk | Hit The Bullseye On The First Shot: Improving LLMs Using Multi-Sample Self-Reward Feedback for Vulnerability Repair Research Papers Rui Jiao Xidian University, Yue Zhang Drexel University, Jinku Li Xidian University, Jianfeng Ma Xidian University | ||
12:20 10mTalk | Propagation-Based Vulnerability Impact Assessment for Software Supply Chains Research Papers Bonan Ruan National University of Singapore, Zhiwei Lin National University of Singapore, Jiahao Liu National University of Singapore, Chuqi Zhang National University of Singapore, Kaihang Ji National University of Singapore, Zhenkai Liang National University of Singapore Pre-print | ||