Software Vulnerability Management in the Era of Artificial Intelligence: An Industry Perspective
M. Mehdi Kholoosi, Triet Huynh Minh Le, M. Ali Babar
TL;DR
This study investigates how AI-powered tools are used across the software vulnerability management (SVM) life cycle in industry. Through a survey of 60 practitioners across 27 countries, it shows that AI supports multiple SVM tasks and is often deployed as a decision-assistive component within governance-rich pipelines, with 85% having some AI exposure and 69% of AI users expressing satisfaction. Key benefits include increased speed, broader coverage, and easier access, while major challenges remain false positives, context gaps, and integration overhead, necessitating robust human-in-the-loop validation and formal governance. The findings offer practical guidance for practitioners and tool developers on integrating AI responsibly into SVM, emphasize the socio-technical nature of adoption, and call for longitudinal field studies to understand human–AI collaboration in secure software development. Overall, AI-augmented SVM is advancing toward broader industry adoption, but practical deployment hinges on explainability, contextual awareness, workflow integration, and verifiable safety guarantees.
Abstract
Artificial Intelligence (AI) has revolutionized software development, particularly by automating repetitive tasks and improving developer productivity. While these advancements are well-documented, the use of AI-powered tools for Software Vulnerability Management (SVM), such as vulnerability detection and repair, remains underexplored in industry settings. To bridge this gap, our study aims to determine the extent of the adoption of AI-powered tools for SVM, identify barriers and facilitators to the use, and gather insights to help improve the tools to meet industry needs better. We conducted a survey study involving 60 practitioners from diverse industry sectors across 27 countries. The survey incorporates both quantitative and qualitative questions to analyze the adoption trends, assess tool strengths, identify practical challenges, and uncover opportunities for improvement. Our findings indicate that AI-powered tools are used throughout the SVM life cycle, with 69% of users reporting satisfaction with their current use. Practitioners value these tools for their speed, coverage, and accessibility. However, concerns about false positives, missing context, and trust issues remain prevalent. We observe a socio-technical adoption pattern in which AI outputs are filtered through human oversight and organizational governance. To support safe and effective use of AI for SVM, we recommend improvements in explainability, contextual awareness, integration workflows, and validation practices. We assert that these findings can offer practical guidance for practitioners, tool developers, and researchers seeking to enhance secure software development through the use of AI.