[Paper] Who Said CVE? How Vulnerability Identifiers Are Mentioned by Humans, Bots, and Agents in Pull Requests

Published: 1 week ago (January 27, 2026 at 09:13 AM EST)

1 min read

Source: arXiv

Source: arXiv - 2601.19636v1

Overview

Vulnerability identifiers such as CVE, CWE, and GHSA are standardised references to known software security issues, yet their use in practice is not well understood. This paper compares vulnerability ID use in GitHub pull requests authored by autonomous agents, bots, and human developers. Using the AIDev pop dataset and an augmented set of pull requests from the same repositories, we analyse who mentions vulnerability identifiers and where they appear. Bots account for around 69.1 % of all mentions, usually adding few identifiers in pull request descriptions, while human and agent mentions are rarer but span more locations. Qualitative analysis shows that bots mainly reference identifiers in automated dependency updates and audits, whereas humans and agents use them to support fixes, maintenance, and discussion.

Key Contributions

cs.SE

Methodology

Please refer to the full paper for detailed methodology.

Practical Implications

This research contributes to the advancement of cs.SE.

Authors

Pien Rooijendijk
Christoph Treude
Mairieli Wessel

Paper Information

arXiv ID: 2601.19636v1
Categories: cs.SE
Published: January 27, 2026
PDF: Download PDF

[Paper] Who Said CVE? How Vulnerability Identifiers Are Mentioned by Humans, Bots, and Agents in Pull Requests

Overview

Key Contributions

Methodology

Practical Implications

Authors

Paper Information

Related posts

[Paper] Outcome-Conditioned Reasoning Distillation for Resolving Software Issues

[Paper] GrepRAG: An Empirical Study and Optimization of Grep-Like Retrieval for Code Completion

[Paper] Do Good, Stay Longer? Temporal Patterns and Predictors of Newcomer-to-Core Transitions in Conventional OSS and OSS4SG

[Paper] From Monolith to Microservices: A Comparative Evaluation of Decomposition Frameworks