Global News Digest

Global News Digest

arXiv

VulnAgent-R2: Evidence-Calibrated Multi-Agent Auditing for Repository-Level Vulnerability Detection

· Renwei Meng, Haoyi Wu, Jingming Wang · Original Source

Title: VulnAgent-R2: Evidence-Calibrated Multi-Agent Auditing for Repository-Level Vulnerability Detection

Abstract:

Isolated function classifiers often yield fragile and poorly calibrated warnings because software vulnerabilities frequently hinge on cross-file data flows, build configurations, framework conventions, and runtime guards. While repository-level LLM agents have the potential to gather richer evidence, previous iterations have failed to adequately specify reproducibility, verifier behavior, baseline fairness, and statistical uncertainty. To address these gaps, we introduce VulnAgent-R2, a budget-aware agentic auditing framework that incorporates three reusable modules: counterfactual evidence reweighting, build-aware verification-plan synthesis, and a cost-risk Pareto scheduler. The system integrates graph triage, bounded context optimization, role-specialized agents, skeptical counter-evidence, selective dynamic verification, and calibrated fusion.

Performance evaluations on the Devign, Big-Vul, DiverseVul, and PrimeVul datasets show F1/AUROC scores of 0.798/0.895, 0.739/0.871, 0.700/0.842, and 0.385/0.781, respectively. On the JITVul dataset, the model achieved a 0.606 F1 score, 0.529 Top-1 localization, and 0.742 Top-3 localization, while cutting online token usage by 38.3% compared to always-full multi-agent execution. Note that online time encompasses retrieval, LLM calls, CER scoring, verifier planning, compilation, and test execution, but excludes one-time shared indexing. Bootstrap analysis indicates that the performance gain of VulnAgent-R2 over VulnAgent-X on PrimeVul is +0.038 F1 (95% CI [0.020, 0.055], Holm-adjusted $p=0.009$). By treating vulnerability detection as a process of calibrated evidence accumulation, our approach enhances detection, localization, auditability, and cost control. However, it remains a prioritization aid rather than a substitute for manual review. The code is available at https://github.com/renweimeng/Vlun-Agent-X.

Source: arXiv Generated at: 2026-06-03 00:00:00 UTC

Related Articles

TikTok Billionaire Tops Ambani as Asia’s Second-Richest
Bloomberg

TikTok Billionaire Tops Ambani as Asia’s Second-Richest

June 3, 2026

TikTok founder surpasses Mukesh Ambani to become Asia’s second-richest person, marking a significant shift in the region...

Publishers in UK can opt out of Google AI search results
BBC News

Publishers in UK can opt out of Google AI search results

June 3, 2026

UK publishers can now opt out of Google’s AI search summaries, a CMA ruling designed to boost their bargaining power and...

Kioxia Edges Nearer Toyota’s Market Cap in Shakeup to Japan Inc.
Bloomberg

Kioxia Edges Nearer Toyota’s Market Cap in Shakeup to Japan Inc.

June 3, 2026

Kioxia’s market cap nears Toyota’s, signaling a major shift in Japan’s corporate hierarchy. This narrowing gap highlight...

Reuters

Morning Bid: Marvell, a fitting name for the latest AI darling

June 3, 2026

Reuters highlights Marvell as a top AI stock, noting its name perfectly suits its status as the newest market darling.

Financial Times

Tim Hayward: I built the Jaguar E-Type of computer keyboards

June 3, 2026

Tim Hayward compares his bespoke keyboard designs to the Jaguar E-Type. He explores high-end customization for personal ...

Financial Times

AI Labs: Zuckerberg’s $100bn gamble

June 3, 2026

Meta’s $100 billion AI investment aims to secure AI dominance, but questions remain whether sheer spending can outpace c...