paper

[hrshy0629]

This is a wonderful piece of work, especially because of the discovery of CVE. But when I'm reading the paper, shouldn't I at least mark the corresponding programming languages in Figures 1 and 4? And have the 15 zero-day vulnerabilities been confirmed? Is there a specific CVE ID?

[rucnyz]

Thank you for the suggestion. These figures present the average results across Python, C/C++, and Java. We will add clear labels indicating the programming languages in the revised version to improve clarity.
Regarding zero days. Our agent is currently under active development, and the identified vulnerabilities are going through the responsible disclosure process. We will open-source the agent very soon. We welcome continued attention to our work and will provide updates on vulnerabilities assignments as they become available!

[zhuhaopku]

I’m a bit curious about the “zero-day” claim. In Figure 7, VulnLLM-R finds 15 true positives on the AIxCC benchmarks — are these referring to the benchmark vulnerabilities themselves, or to newly discovered real-world zero-day issues?