CVE-Factory: Scaling Expert-Level Agentic Tasks for Code Security Vulnerability
Xianzhen Luo, Jingyuan Zhang, Shiqi Zhou, Rain Huang, Chuan Xiao, Qingfu Zhu, Zhiyuan Ma, Xing Yue, Yang Yue, Wencong Zeng, Wanxiang Che
TL;DR
CVE-Factory addresses the critical challenge of generating executable, expert-quality vulnerability tasks from sparse CVE metadata to enable scalable evaluation and training of code-security agents. It introduces a six-stage, decoupled yet tightly coordinated multi-agent pipeline controlled by a central Orchestrator, achieving expert-level reproduction with high solution correctness ($\$95\%\$) and environment fidelity ($\$96\%\$) and demonstrating robust applicability on real-world CVEs ($66.2\%$ verified success). The framework yields LiveCVEBench—a continuously updated, multi-language benchmark—and a large-scale training corpus that enables significant improvements in medical-scale agentic vulnerability repair (e.g., $6.8\times$ on LiveCVEBench for Qwen3-32B). The approach advances practical security testing for AI/LLM-driven code agents by delivering high-fidelity tasks, scalable reproducibility, and transferable training data, with open-source resources enabling broad adoption. Overall, CVE-Factory establishes a scalable foundation for evaluating and training agentic code-security workflows in real-world, multi-language contexts.
Abstract
Evaluating and improving the security capabilities of code agents requires high-quality, executable vulnerability tasks. However, existing works rely on costly, unscalable manual reproduction and suffer from outdated data distributions. To address these, we present CVE-Factory, the first multi-agent framework to achieve expert-level quality in automatically transforming sparse CVE metadata into fully executable agentic tasks. Cross-validation against human expert reproductions shows that CVE-Factory achieves 95\% solution correctness and 96\% environment fidelity, confirming its expert-level quality. It is also evaluated on the latest realistic vulnerabilities and achieves a 66.2\% verified success. This automation enables two downstream contributions. First, we construct LiveCVEBench, a continuously updated benchmark of 190 tasks spanning 14 languages and 153 repositories that captures emerging threats including AI-tooling vulnerabilities. Second, we synthesize over 1,000 executable training environments, the first large-scale scaling of agentic tasks in code security. Fine-tuned Qwen3-32B improves from 5.3\% to 35.8\% on LiveCVEBench, surpassing Claude 4.5 Sonnet, with gains generalizing to Terminal Bench (12.5\% to 31.3\%). We open-source CVE-Factory, LiveCVEBench, Abacus-cve (fine-tuned model), training dataset, and leaderboard. All resources are available at https://github.com/livecvebench/CVE-Factory .
