Compute-Budgeted Exploitability Evidence Graphs for Prospective Vulnerability Triage
arXiv SecurityArchived Jun 18, 2026✓ Full text saved
arXiv:2606.19076v1 Announce Type: new Abstract: Defenders cannot patch every newly disclosed vulnerability at once, so exploitability prediction must be evaluated prospectively rather than retrospectively. We study compute-budgeted vulnerability triage in which each CVE is scored only from public evidence visible by a fixed decision time. Advisories, exploit archives, fix commits, and hacker-community discourse are represented as a temporal evidence graph; a budgeted selector admits only a few e
Full text archived locally
✦ AI Summary· Claude Sonnet
Computer Science > Cryptography and Security
[Submitted on 17 Jun 2026]
Compute-Budgeted Exploitability Evidence Graphs for Prospective Vulnerability Triage
Faruk Alpay, Taylan Alpay
Defenders cannot patch every newly disclosed vulnerability at once, so exploitability prediction must be evaluated prospectively rather than retrospectively. We study compute-budgeted vulnerability triage in which each CVE is scored only from public evidence visible by a fixed decision time. Advisories, exploit archives, fix commits, and hacker-community discourse are represented as a temporal evidence graph; a budgeted selector admits only a few evidence documents per CVE, and every score is paired with an auditable certificate listing the supporting signals, timestamps, source layers, and leakage flags. On 12012 prospective CVEs from public sources, budgeted evidence selection raises leakage-safe prospective recall@50 from 0.010 for a severity-only baseline to 0.026, while two evidence documents per CVE capture most of the value. A strong cross-encoder reranker lowers prospective recall to 0.016, showing that semantic relevance to a CVE is not the same as evidence of exploitation. Most importantly, a naive random split with unfiltered evidence inflates apparent prospective recall by 8.5x and EPSS-high recall by 5.0x. The main contribution is a leakage-safe evaluation protocol and reproducible evidence certificates for contestable vulnerability-prioritization claims.
Comments: 11 pages, 3 figures, 1 table; ancillary files provided; artifacts: this https URL
Subjects: Cryptography and Security (cs.CR)
MSC classes: 68P20, 68T05, 62H30
Cite as: arXiv:2606.19076 [cs.CR]
(or arXiv:2606.19076v1 [cs.CR] for this version)
https://doi.org/10.48550/arXiv.2606.19076
Focus to learn more
Submission history
From: Taylan Alpay [view email]
[v1] Wed, 17 Jun 2026 13:47:34 UTC (142 KB)
Access Paper:
HTML (experimental)
view license
Ancillary files (details):
ARTIFACTS.md
Makefile
cbeeg/adapters/epss.py
cbeeg/adapters/hf_datasets.py
cbeeg/adapters/kev.py
(31 additional files not shown)
Current browse context:
cs.CR
< prev | next >
new | recent | 2026-06
Change to browse by:
cs
References & Citations
NASA ADS
Google Scholar
Semantic Scholar
Export BibTeX Citation
Bookmark
Bibliographic Tools
Bibliographic and Citation Tools
Bibliographic Explorer Toggle
Bibliographic Explorer (What is the Explorer?)
Connected Papers Toggle
Connected Papers (What is Connected Papers?)
Litmaps Toggle
Litmaps (What is Litmaps?)
scite.ai Toggle
scite Smart Citations (What are Smart Citations?)
Code, Data, Media
Demos
Related Papers
About arXivLabs
Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)