Create a closed source Large Language Model CVE detection program or tool

[bennmann]

With the prominence of Machine Learning over the past 10 years, and the rise of Large Language Models recently which can reason (per various scholarly works), the CVE org could train a Large Language Model on it's database of vulnerabilities and create a closed source tool for the public to use as a CVE detection tool based on the best Large Language Models and CVE data.

[zmanion]

Hi and thanks for the suggestion, although I'm not sure I clearly understand it. If you're suggesting an LLM based on the CVE corpus could be used to discover new vulnerabilities I don't think that would work. We are interested in using AI/ML to imrove CVE, but would need much more specific ideas.

[ryOF65aErb]

I see LLMs as offering the promise of processing the existing CVE JSON files to produce a data set with canonicalized affected range information - drawing upon the text of the CVE description as well as other fields (some containing idiosyncratically formatted version information), with the objective of producing an automation-ready data set.

[zmanion]

While I'm a bit of an AI skeptic (or possiblye Luddite), I'd try anyting to help us with vulnerability status, software ID, versions, ranges, etc. There's so much variation in accuracy and level of detail in CVE affected objects. I'd still be concerned about accuracy and precision when it comes to specific versions and ranges, e.g., that AI would decide a range that is off-by-one (inclusive/exclusive). IOW, garbage in garbage out.