pith. sign in
Pith Number

pith:LCHNSRQU

pith:2026:LCHNSRQU5TKTEV3OKB5FGMZGTU
not attested not anchored not stored refs resolved

Code-Centric Detection of Vulnerability-Fixing Commits: A Unified Benchmark and Empirical Study

Felix M\"achtle, Joseph Bienh\"uls, Kristoffer Hempel, Nils Loose, Thomas Eisenbarth

Code language models acquire no transferable security understanding from vulnerability-fixing code changes alone.

arxiv:2605.13138 v1 · 2026-05-13 · cs.SE · cs.CR · cs.LG

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{LCHNSRQU5TKTEV3OKB5FGMZGTU}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

We find no evidence that models acquire transferable security-relevant code understanding from code changes alone. When commit messages are available, they dominate model attention, and when removed, an attribution analysis shows that enriching diffs with additional intra-procedural semantic context does not shift model attention toward the code changes.

C2weakest assumption

The consolidated datasets from prior sources contain accurate, unbiased labels for vulnerability-fixing commits and that the chosen evaluation splits (random, group-stratified, temporal) reflect realistic deployment conditions without unmeasured distributional shifts.

C3one line summary

Code language models show no transferable security understanding from code diffs alone, rely on commit messages, miss over 93% of fixes at 0.5% false positive rate, and suffer large drops under group or temporal splits.

References

69 extracted · 69 resolved · 3 Pith anchors

[1] Jafar Akhoundali, Sajad Rahim Nouri, Kristian F. D. Rietveld, and Olga Gady- atskaya. 2024. MoreFixes: A Large-Scale Dataset of CVE Fix Commits Mined through Enhanced Repository Discovery. InProceedin 2024 · doi:10.1145/3663533.3664036
[2] Dos and Don’ts of Machine Learning in Computer Security 2022
[3] Guru Prasad Bhandari, Amara Naseer, and Leon Moonen. 2021. CVEfixes: automated collection of vulnerabilities and their fixes from open-source software. InPROMISE ’21: 17th International Conference on 2021 · doi:10.1145/3475960
[4] Max Brunsfeld. [n.d.]. Tree-sitter. https://github.com/tree-sitter/tree-sitter
[5] Tianyu Chen, Lin Li, Taotao Qian, Jingyi Liu, Wei Yang, Ding Li, Guangtai Liang, Qianxiang Wang, and Tao Xie. 2024. CompVPD: Iteratively Identifying Vulnerability Patches Based on Human Validation Res 2024
Receipt and verification
First computed 2026-05-18T03:08:57.532235Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

588ed94614ecd532576e507a5333269d1dbdd6fd8903af21838f7df46ed65458

Aliases

arxiv: 2605.13138 · arxiv_version: 2605.13138v1 · doi: 10.48550/arxiv.2605.13138 · pith_short_12: LCHNSRQU5TKT · pith_short_16: LCHNSRQU5TKTEV3O · pith_short_8: LCHNSRQU
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/LCHNSRQU5TKTEV3OKB5FGMZGTU \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: 588ed94614ecd532576e507a5333269d1dbdd6fd8903af21838f7df46ed65458
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "83003c56734c5fd8487d9151a3f7d87b5801d0694f464d65ac7a554701021518",
    "cross_cats_sorted": [
      "cs.CR",
      "cs.LG"
    ],
    "license": "http://arxiv.org/licenses/nonexclusive-distrib/1.0/",
    "primary_cat": "cs.SE",
    "submitted_at": "2026-05-13T08:05:14Z",
    "title_canon_sha256": "125a2503ddd8afa917efefeac7f6305df6d59d240ac648052088ac83ef698c0e"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.13138",
    "kind": "arxiv",
    "version": 1
  }
}