English

Revisiting Vulnerability Patch Identification on Data in the Wild

Software Engineering 2026-03-19 v1 Cryptography and Security

Abstract

Attacks can exploit zero-day or one-day vulnerabilities that are not publicly disclosed. To detect these vulnerabilities, security researchers monitor development activities in open-source repositories to identify unreported security patches. The sheer volume of commits makes this task infeasible to accomplish manually. Consequently, security patch detectors commonly trained and evaluated on security patches linked from vulnerability reports in the National Vulnerability Database (NVD). In this study, we assess the effectiveness of these detectors when applied in-the-wild. Our results show that models trained on NVD-derived data show substantially decreased performance, with decreases in F1-score of up to 90\% when tested on in-the-wild security patches, rendering them impractical for real-world use. An analysis comparing security patches identified in-the-wild and commits linked from NVD reveals that they can be easily distinguished from each other. Security patches associated with NVD have different distribution of commit messages, vulnerability types, and composition of changes. These differences suggest that NVD may be unsuitable as the \textit{sole} source of data for training models to detect security patches. We find that constructing a dataset that combines security patches from NVD data with a small subset of manually identified security patches can improve model robustness.

Keywords

Cite

@article{arxiv.2603.17266,
  title  = {Revisiting Vulnerability Patch Identification on Data in the Wild},
  author = {Ivana Clairine Irsan and Ratnadira Widyasari and Ting Zhang and Huihui Huang and Ferdian Thung and Yikun Li and Lwin Khin Shar and Eng Lieh Ouh and Hong Jin Kang and David Lo},
  journal= {arXiv preprint arXiv:2603.17266},
  year   = {2026}
}
R2 v1 2026-07-01T11:25:24.855Z