Search papers, labs, and topics across Lattice.
This paper introduces VeriPort, an automated system that efficiently backports security patches across multiple affected versions of open-source dependencies, addressing a significant gap in software supply chain security. By generating a robust chain of evidence for each backport, VeriPort ensures that patches not only block vulnerabilities but also maintain the intended functionality of the software. The system achieved a remarkable 95.3% success rate on backporting tasks, significantly outperforming existing solutions and revealing numerous previously unidentified vulnerabilities in the process.
VeriPort not only backports patches at scale but also uncovers hidden vulnerabilities, correcting over 400 erroneous version reports in the process.
One of the key challenges for securing the software supply chain is addressing known vulnerabilities in third-party open-source dependencies. Security patches are frequently only available for the latest version of a dependency, leaving developers with the choice of either upgrading to the latest version (risking breaking changes) or manually backporting the security fix. Prior work backports to a single version that must be specified in advance and does not produce sufficient evidence to demonstrate that their patches block exploitation and preserve functionality. In this paper, we present VeriPort, an end-to-end agentic system that scalably backports a patch for a given vulnerability advisory to every affected version of the package. For each backport, VeriPort builds a chain of evidence to confirm that the patch blocks exploitation and preserves intended behavior. VeriPort reliably resolves 95.3% of 128 backporting tasks in BackportBench, outperforming the best existing solution (Claude Code) by 22.7 percentage points. We further deployed VeriPort on 169 high- and critical-severity CVEs and have generated over 5,000 verified backported patches. Moreover, VeriPort's value extends beyond simply backporting patches. It uncovered 2,100 versions incorrectly reported as affected and 127 previously unidentified vulnerable versions across 92 advisories, and 23 advisories have since been corrected upstream by removing 387 versions and adding 81.