REVIEW 3 major objections 2 minor 49 references
Reviewed by Pith at T0; open to challenge.
T0 review · grok-4.3
Prompt engineering does not reduce the rate of security flaws in LLM-generated code but does change which flaws appear.
2026-06-30 15:15 UTC pith:C5NTXMP5
load-bearing objection WA-0CoT shifts CWE distributions without cutting overall vulnerability rates, but the chi-square claims rest on an unexamined detection and labeling process. the 3 major comments →
An Empirical Evaluation of LLM-Generated Code Security Across Prompting Methods
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The empirical evaluation reveals that no prompting method, including the introduced weaknesses-aware zero-shot chain-of-thought strategy, achieves statistically significant reductions in the frequency or density of vulnerabilities in code generated by LLMs across Java, C++, C, and Python. Prompting does, however, systematically shift the distribution of specific CWE weakness categories, with the nature of these shifts depending on the target programming language.
What carries the argument
The weaknesses-aware zero-shot chain-of-thought (WA-0CoT) prompting strategy that adds CWE mappings for security context, paired with chi-square tests on vulnerability counts and category distributions.
Load-bearing premise
Vulnerabilities in the generated code can be reliably detected and classified into CWE categories the same way no matter which model, language, or prompt is used.
What would settle it
A re-run of the same code samples through a different automated scanner or a manual review by security experts that produces different vulnerability counts or different CWE distributions.
If this is right
- Prompting strategies change the types of weaknesses that appear in LLM code without lowering their total number or density.
- The effect of any given prompt on weakness types depends on the programming language being generated.
- Security-aware prompting by itself cannot be relied on to produce fewer vulnerabilities overall.
- Evaluations of LLM code security must account for differences across both models and languages.
Where Pith is reading between the lines
- Combining prompting with later static analysis or manual review may still be needed to catch remaining issues.
- Model-specific or language-specific prompt tuning could be tested as a way to steer weakness distributions toward less severe categories.
- The results point toward exploring training data changes or post-processing steps rather than prompt design alone.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript presents an empirical evaluation of security properties in code generated by five LLMs across four languages (Java, C++, C, Python) under multiple prompting methods, including a proposed weaknesses-aware zero-shot chain-of-thought (WA-0CoT) strategy that incorporates CWE mappings. Chi-square tests are reported to show no statistically significant reductions in vulnerability frequency or density across prompting methods. Prompting strategies are found to systematically alter the compositional distribution of CWE categories, with effects varying by language. The authors conclude that prompt engineering alone is insufficient to reliably reduce overall vulnerability levels.
Significance. If the empirical results hold after methodological clarification, the work would indicate that security-aware prompting can shift weakness types but does not reduce their prevalence, providing evidence against over-reliance on prompt engineering for secure code generation and emphasizing language- and model-aware design. The multi-model, multi-language scope is a strength if detection is reliable.
major comments (3)
- [Abstract and §4] Abstract and §4 (Results): The chi-square test outcomes for vulnerability frequency and density are presented without sample sizes, degrees of freedom, exact p-values, effect sizes, or power analysis. This prevents assessment of whether the 'no statistically significant reductions' claim is supported or whether null results reflect underpowered tests.
- [§3] §3 (Methodology): No description is given of the vulnerability detection method (static analysis tool, manual review, or hybrid), inter-rater reliability, false-positive rates by language, or validation of CWE mappings for incomplete or multi-weakness code. This process is load-bearing for all frequency, density, and distributional claims.
- [§4] §4 (Results): The reported systematic shifts in CWE compositional distributions across prompting methods (including WA-0CoT) and languages rest on the same uncharacterized detection and labeling pipeline; systematic bias or noise varying by condition would render both the null frequency results and the positive distribution results uninterpretable.
minor comments (2)
- [Abstract and §3] The abstract and methods could explicitly list the five LLMs (including versions and sampling parameters) and the exact prompting templates used.
- [§4] Figure or table captions for CWE distributions should include the total number of generated samples per condition to allow readers to gauge the scale of the compositional analysis.
Simulated Author's Rebuttal
We thank the referee for the thorough and constructive review. The comments correctly identify gaps in statistical reporting and methodological transparency that limit interpretability of the results. We will revise the manuscript to address these points directly.
read point-by-point responses
-
Referee: [Abstract and §4] Abstract and §4 (Results): The chi-square test outcomes for vulnerability frequency and density are presented without sample sizes, degrees of freedom, exact p-values, effect sizes, or power analysis. This prevents assessment of whether the 'no statistically significant reductions' claim is supported or whether null results reflect underpowered tests.
Authors: We agree that these details are required for proper evaluation of the null results. In the revised manuscript we will report the exact sample sizes (number of code samples per model-language-prompting combination), degrees of freedom, exact p-values, effect sizes (Cramér's V), and a post-hoc power analysis for each chi-square test on frequency and density. This will allow readers to assess whether the tests were adequately powered. revision: yes
-
Referee: [§3] §3 (Methodology): No description is given of the vulnerability detection method (static analysis tool, manual review, or hybrid), inter-rater reliability, false-positive rates by language, or validation of CWE mappings for incomplete or multi-weakness code. This process is load-bearing for all frequency, density, and distributional claims.
Authors: We acknowledge that §3 lacks a sufficiently detailed account of the detection pipeline. We will add a new subsection describing the vulnerability detection method (including any static-analysis tool and manual-review protocol), inter-rater reliability statistics, language-specific false-positive rates, and the procedure used to assign and validate CWE labels on incomplete or multi-weakness snippets. These additions will make the frequency, density, and distributional results traceable to a characterized process. revision: yes
-
Referee: [§4] §4 (Results): The reported systematic shifts in CWE compositional distributions across prompting methods (including WA-0CoT) and languages rest on the same uncharacterized detection and labeling pipeline; systematic bias or noise varying by condition would render both the null frequency results and the positive distribution results uninterpretable.
Authors: This observation is correct and is addressed by the methodological expansion described above. In the revision we will also add a brief discussion (in §4 or the limitations section) of how any residual detection noise or condition-specific bias could affect the chi-square tests on CWE distributions versus overall frequency, thereby clarifying the conditions under which the distributional shifts remain interpretable. revision: yes
Circularity Check
Purely empirical study with no derivation chain or self-referential predictions
full rationale
The paper reports an empirical evaluation of LLM-generated code security using chi-square tests on observed vulnerability frequencies, densities, and CWE category distributions across models, languages, and prompting methods. No equations, derivations, fitted parameters, or predictions are presented; the central claims are direct statistical summaries of counted outcomes from generated code samples. No self-citation load-bearing steps, ansatz smuggling, or renaming of known results appear in the reported analysis. The study is self-contained against external benchmarks via standard hypothesis testing on independent experimental outputs.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption Chi-square test is appropriate for determining whether prompting methods produce statistically significant differences in vulnerability counts
read the original abstract
The growing use of Large Language Models (LLMs) for automated code generation has enhanced software development efficiency, but often at the cost of security. Generated code frequently overlooks critical concerns, leaving it vulnerable to issues such as weak encryption and improper input validation. To investigate this problem, we present a comprehensive empirical evaluation of the security quality of LLM-generated code across five LLMs and four programming languages (Java, C++, C, and Python), examining the impact of multiple prompt engineering methods. We introduce a weaknesses-aware zero-shot chain-of-thought (WA-0CoT) prompting strategy that enriches prompts with security context using CWE mappings to guide model reasoning. Our empirical analysis, supported by chi-square tests, finds no statistically significant reductions in vulnerability frequency or density across prompt methods. However, prompting strategies, including WA-0CoT, systematically influence the compositional distribution of CWE categories, with effects varying by programming language. These findings suggest that while security-aware prompting alters the structure of generated weaknesses, prompt engineering alone is insufficient to reliably reduce overall vulnerability levels. The results highlight the importance of language-aware and model-aware prompt design when evaluating the security properties of LLM-generated code.
Figures
Reference graph
Works this paper leans on
-
[1]
JetBrains : Developer tools for professionals and teams
--- (2024 a ) C++ programming---the state of developer ecosystem in 2023 infographic. JetBrains : Developer tools for professionals and teams. https://www.jetbrains.com/lp/devecosystem-2023/cpp/, (Accessed on 09/07/2024)
work page 2024
-
[2]
https://claude.ai/new, (Accessed on 09/05/2024)
--- (2024 b ) Claude. https://claude.ai/new, (Accessed on 09/05/2024)
work page 2024
-
[3]
https://www.sonarsource.com/products/sonarqube/, (Accessed on 05/12/2024)
--- (2024 c ) Code quality, security & static analysis tool with SonarQube . https://www.sonarsource.com/products/sonarqube/, (Accessed on 05/12/2024)
work page 2024
-
[4]
https://www.codewars.com/, (Accessed on 09/09/2024)
--- (2024 d ) Codewars - achieve mastery through coding practice and developer mentorship. https://www.codewars.com/, (Accessed on 09/09/2024)
work page 2024
-
[5]
https://cwe.mitre.org/about/new_to_cwe.html, (Accessed on 05/12/2024)
--- (2024 e ) CWE - new to CWE . https://cwe.mitre.org/about/new_to_cwe.html, (Accessed on 05/12/2024)
work page 2024
-
[6]
https://cwe.mitre.org/data/index.html, [Online; accessed 2024-12-16]
--- (2024 f ) CWE list version 4.16. https://cwe.mitre.org/data/index.html, [Online; accessed 2024-12-16]
work page 2024
-
[7]
https://edabit.com/, (Accessed on 09/09/2024)
--- (2024 g ) Edabit // learn to code with 10,000+ interactive challenges. https://edabit.com/, (Accessed on 09/09/2024)
work page 2024
-
[8]
https://gemini.google.com/, (Accessed on 05/12/2024)
--- (2024 h ) Gemini - chat to supercharge your ideas. https://gemini.google.com/, (Accessed on 05/12/2024)
work page 2024
-
[9]
https://github.com/features/copilot, (Accessed on 05/12/2024)
--- (2024 i ) Github copilot---your ai pair programmer. https://github.com/features/copilot, (Accessed on 05/12/2024)
work page 2024
-
[10]
https://openai.com/index/gpt-4/, (Accessed on 05/12/2024)
--- (2024 j ) GPT -4 | OpenAI . https://openai.com/index/gpt-4/, (Accessed on 05/12/2024)
work page 2024
-
[11]
https://mistral.ai/, (Accessed on 05/12/2024)
--- (2024 k ) Mistral ai | frontier ai in your hands. https://mistral.ai/, (Accessed on 05/12/2024)
work page 2024
-
[12]
https://www.orientsoftware.com/blog/most-popular-programming-languages/, (Accessed on 05/12/2024)
--- (2024 l ) Most popular programming languages in 2024 & beyond. https://www.orientsoftware.com/blog/most-popular-programming-languages/, (Accessed on 05/12/2024)
work page 2024
-
[13]
https://www.perplexity.ai/, (Accessed on 09/05/2024)
--- (2024 m ) Perplexity. https://www.perplexity.ai/, (Accessed on 09/05/2024)
work page 2024
-
[14]
https://pieces.app/, (Accessed on 05/12/2024)
--- (2024 n ) Pieces for developers | ai-enabled developer productivity. https://pieces.app/, (Accessed on 05/12/2024)
work page 2024
-
[15]
https://leetcode.com/problemset/, (Accessed on 09/09/2024)
--- (2024 o ) Problems - leetcode. https://leetcode.com/problemset/, (Accessed on 09/09/2024)
work page 2024
-
[16]
https://www.tabnine.com/, (Accessed on 05/12/2024)
--- (2024 p ) Tabnine ai coding assistant | private, personalized, protected. https://www.tabnine.com/, (Accessed on 05/12/2024)
work page 2024
-
[17]
https://codeql.github.com/codeql-query-help/codeql-cwe-coverage/, (Accessed on 2025-07-04)
--- (2025 a ) Codeql cwe coverage. https://codeql.github.com/codeql-query-help/codeql-cwe-coverage/, (Accessed on 2025-07-04)
work page 2025
-
[18]
https://exercism.org/, (Accessed on 2025-07-04)
--- (2025 b ) Exercism. https://exercism.org/, (Accessed on 2025-07-04)
work page 2025
- [19]
-
[20]
https://huggingface.co/blog/starcoder, accessed: 2024-05-14
BigCode Project (2024) Starcoder: A state-of-the-art llm for code. https://huggingface.co/blog/starcoder, accessed: 2024-05-14
work page 2024
-
[21]
(2020) Language models are few-shot learners
Brown TB, Mann B, Ryder N, Subbiah M, Kaplan J, Dhariwal P, Neelakantan A, Shyam P, Sastry G, Askell A, et al. (2020) Language models are few-shot learners. In: NeurIPS, pp 159:1--159:25
work page 2020
-
[22]
A Survey on Evaluation of Large Language Models
Chang Y, Wang X, Wang J, Wu Y, Zhu K, Chen H, Yang L, Yi X, Wang C, Wang Y, Ye W, Zhang Y, Chang Y, Yu PS, Yang Q, Xie X (2023) A survey on evaluation of large language models. CoRR abs/2307.03109
work page Pith review arXiv 2023
-
[23]
Choi S, Mohaisen D (2025) Attributing chatgpt-generated source codes. IEEE Trans Dependable Secur Comput 22(4):3602--3615, doi:10.1109/TDSC.2025.3535218, ://doi.org/10.1109/TDSC.2025.3535218
-
[24]
Choi S, Alkinoon A, Alghuried A, Alghamdi A, Mohaisen D (2025) Attributing chatgpt-transformed synthetic code. In: 45th IEEE International Conference on Distributed Computing Systems, ICDCS 2025, Glasgow, United Kingdom, July 21-23, 2025, IEEE , pp 89--99, doi:10.1109/ICDCS63083.2025.00018, ://doi.org/10.1109/ICDCS63083.2025.00018
-
[25]
Large Language Models for Software Engineering: A Systematic Literature Review,
Hou X, Zhao Y, Liu Y, Yang Z, Wang K, Li L, Luo X, Lo D, Grundy JC, Wang H (2023) Large language models for software engineering: A systematic literature review. CoRR abs/2308.10620, 2308.10620
-
[26]
In: Findings of the Association for Computational Linguistics (ACL), pp 1049--1065
Huang J, Chang KCC (2023) Towards reasoning in large language models: A survey. In: Findings of the Association for Computational Linguistics (ACL), pp 1049--1065
work page 2023
-
[27]
Kharma MF, Choi S, Alkhanafseh M, Mohaisen D (2026) Security and quality in llm-generated code: a multi-language, multi-model analysis. IEEE Transactions on Dependable and Secure Computing pp 1--15, doi:10.1109/TDSC.2026.3672745, ://doi.org/10.1109/TDSC.2026.3672745
-
[28]
Khoury R, Avila AR, Brunelle J, Camara BM (2023) How secure is code generated by chatgpt? In: IEEE SMC
work page 2023
-
[29]
In: Proceedings of the 37th Conference on Neural Information Processing Systems (NeurIPS)
Kim G, Baldi P, McAleer S (2023) Language models can solve computer tasks. In: Proceedings of the 37th Conference on Neural Information Processing Systems (NeurIPS)
work page 2023
-
[30]
Lin J, Mohaisen D (2025) From large to mammoth: A comparative evaluation of large language models in vulnerability detection. In: 32nd Annual Network and Distributed System Security Symposium, NDSS 2025, San Diego, California, USA, February 24-28, 2025, The Internet Society, ://www.ndss-symposium.org/ndss-paper/from-large-to-mammoth-a-comparative-evaluati...
work page 2025
-
[31]
Logan RL, Balazevic I, Wallace E, Petroni F, Singh S, Riedel S (2022) Cutting down on prompts and parameters: Simple few-shot learning with language models. In: Findings of the Association for Computational Linguistics (ACL), pp 2824--2835, doi:10.18653/v1/2022.findings-acl.222
-
[32]
In: Advances in Neural Information Processing Systems (NeurIPS)
Madaan A, Tandon N, Gupta P, Hallinan S, Gao L, Wiegreffe S, Alon U, Dziri N, Prabhumoye S, Yang Y, Gupta S, Majumder BP, Hermann K, Welleck S, Yazdanbakhsh A, Clark P (2023) Self-refine: Iterative refinement with self-feedback. In: Advances in Neural Information Processing Systems (NeurIPS)
work page 2023
-
[33]
Large Language Models: A Survey
Minaee S, Mikolov T, Nikzad N, Chenaghlu M, Socher R, Amatriain X, Gao J (2024) Large language models: A survey. CoRR abs/2402.06196, 2402.06196
work page internal anchor Pith review Pith/arXiv arXiv 2024
-
[34]
Perry N, Srivastava M, Kumar D, Boneh D (2023) Do users write more insecure code with ai assistants? In: ACM CCS
work page 2023
-
[35]
(2019) Language models are unsupervised multitask learners
Radford A, Wu J, Child R, Luan D, Amodei D, Sutskever I, et al. (2019) Language models are unsupervised multitask learners. OpenAI blog 1(8):9
work page 2019
-
[36]
In: Proceedings of the 32nd USENIX Security Symposium, pp 2205--2222
Sandoval G, Pearce H, Nys T, Karri R, Garg S, Dolan-Gavitt B (2023) Lost at c: A user study on the security implications of large language model code assistants. In: Proceedings of the 32nd USENIX Security Symposium, pp 2205--2222
work page 2023
-
[37]
In: 30th USENIX Security Symposium, pp 1559--1575
Schuster R, Song C, Tromer E, Shmatikov V (2021) You autocomplete me: Poisoning vulnerabilities in neural code completion. In: 30th USENIX Security Symposium, pp 1559--1575
work page 2021
-
[38]
Siddiq ML, Santos JCS (2022) Securityeval dataset: Mining vulnerability examples to evaluate machine learning-based code generation techniques. In: ACM MSR4P&S
work page 2022
-
[39]
Siddiq ML, Santos JCS (2023) Generate and pray: Using SALLMS to evaluate the security of LLM generated code. CoRR abs/2311.00889
-
[40]
Díaz Ferreyra, Markus Mutas, Salem Dhif, and Ric- cardo Scandariato
Tony C, Ferreyra NED, Mutas M, Dhif S, Scandariato R (2025) Prompting techniques for secure code generation: A systematic investigation. ACM Trans Softw Eng Methodol 34(8):225:1--225:53, doi:10.1145/3722108, ://doi.org/10.1145/3722108
-
[41]
Vasconcelos H, Bansal G, Fourney A, Liao QV, Vaughan JW (2023) Generation probabilities are not enough: Exploring the effectiveness of uncertainty highlighting in ai-powered code completions. CoRR abs/2302.07248
-
[42]
In: Advances in Neural Information Processing Systems
Vaswani A, Shazeer N, Parmar N, Uszkoreit J, Jones L, Gomez AN, Kaiser , Polosukhin I (2017) Attention is all you need. In: Advances in Neural Information Processing Systems
work page 2017
-
[43]
In: Proceedings of the 36th Conference on Neural Information Processing Systems (NeurIPS)
Wei J, Wang X, Schuurmans D, Bosma M, Ichter B, Xia F, Chi EH, Le QV, Zhou D (2022) Chain-of-thought prompting elicits reasoning in large language models. In: Proceedings of the 36th Conference on Neural Information Processing Systems (NeurIPS)
work page 2022
-
[44]
CoRR abs/2312.05275, 2312.05275
Wu F, Zhang Q, Bajaj AP, Bao T, Zhang N, Wang R, Xiao C (2023) Exploring the limits of chatgpt in software security applications. CoRR abs/2312.05275, 2312.05275
-
[45]
(2023).Evaluating the code quality of AI-assisted code generation tools
Yetistiren B, \" O zsoy I, Ayerdem M, T \" u z \" u n E (2023) Evaluating the code quality of ai-assisted code generation tools: An empirical study on github copilot, amazon codewhisperer, and chatgpt. CoRR abs/2304.10778
-
[46]
Progressive-Hint Prompting Improves Reasoning in Large Language Models
Zheng C, Liu Z, Xie E, Li Z, Li Y (2023) Progressive-hint prompting improves reasoning in large language models. CoRR abs/2304.09797, doi:10.48550/ARXIV.2304.09797, 2304.09797
-
[47]
In: International Conference on Learning Representations (ICLR), OpenReview.net
Zhou D, Sch \" a rli N, Hou L, Wei J, Scales N, Wang X, Schuurmans D, Cui C, Bousquet O, Le QV, Chi EH (2023) Least-to-most prompting enables complex reasoning in large language models. In: International Conference on Learning Representations (ICLR), OpenReview.net
work page 2023
-
[48]
, " * write output.state after.block = add.period write newline
ENTRY address archive author booktitle chapter doi edition editor eid eprint howpublished institution journal key month note number organization pages publisher school series title type url volume year label extra.label sort.label short.list INTEGERS output.state before.all mid.sentence after.sentence after.block FUNCTION init.state.consts #0 'before.all ...
-
[49]
" write newline "" before.all 'output.state := FUNCTION add.period duplicate empty 'skip "." * add.blank if FUNCTION if.digit duplicate "0" = swap duplicate "1" = swap duplicate "2" = swap duplicate "3" = swap duplicate "4" = swap duplicate "5" = swap duplicate "6" = swap duplicate "7" = swap duplicate "8" = swap "9" = or or or or or or or or or FUNCTION ...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.