Search papers, labs, and topics across Lattice.
This paper introduces a novel approach to vulnerability triage by employing compute-budgeted evidence graphs that evaluate the exploitability of vulnerabilities based solely on publicly available information at a fixed decision time. The authors demonstrate that their method significantly improves leakage-safe prospective recall, achieving a recall@50 of 0.026 compared to a baseline of 0.010, while also revealing that naive evaluation methods can artificially inflate recall metrics. The study emphasizes the importance of a rigorous evaluation protocol and provides reproducible evidence certificates to support claims in vulnerability prioritization.
A budgeted evidence selection approach reveals that naive evaluation methods can inflate vulnerability recall metrics by over 8 times, challenging traditional assessment practices.
Defenders cannot patch every newly disclosed vulnerability at once, so exploitability prediction must be evaluated prospectively rather than retrospectively. We study compute-budgeted vulnerability triage in which each CVE is scored only from public evidence visible by a fixed decision time. Advisories, exploit archives, fix commits, and hacker-community discourse are represented as a temporal evidence graph; a budgeted selector admits only a few evidence documents per CVE, and every score is paired with an auditable certificate listing the supporting signals, timestamps, source layers, and leakage flags. On 12012 prospective CVEs from public sources, budgeted evidence selection raises leakage-safe prospective recall@50 from 0.010 for a severity-only baseline to 0.026, while two evidence documents per CVE capture most of the value. A strong cross-encoder reranker lowers prospective recall to 0.016, showing that semantic relevance to a CVE is not the same as evidence of exploitation. Most importantly, a naive random split with unfiltered evidence inflates apparent prospective recall by 8.5x and EPSS-high recall by 5.0x. The main contribution is a leakage-safe evaluation protocol and reproducible evidence certificates for contestable vulnerability-prioritization claims.