pith. sign in
Pith Number

pith:NZPPKNG4

pith:2026:NZPPKNG4QKR3FVX7JK2LVX3HCB
not attested not anchored not stored refs resolved

PoC-Gym: Towards More Reliable LLM-Assisted Proof-of-Concept Exploit Generation

Amartya Das, Claire Wang, Derin Gezgin, Nevena Stojkovic, Shinhae Kim, Zhengdong Huang

PoC-Gym generates post-hoc valid PoCs for 12 of 20 Java CVEs by requiring candidates to reach ground-truth vulnerable locations.

arxiv:2602.04165 v2 · 2026-02-04 · cs.SE

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{NZPPKNG4QKR3FVX7JK2LVX3HCB}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

Across 338 runs on 20 Java CVEs, PoC-Gym produces 65 post-hoc valid PoCs covering 12 CVEs; on the 14-CVE overlap with FaultLine the strongest configuration succeeds on 8 CVEs versus FaultLine's 5.

C2weakest assumption

That reaching the ground-truth vulnerable location after a runtime-valid execution is sufficient evidence that the PoC actually triggers the reported vulnerability rather than an unrelated path.

C3one line summary

PoC-Gym generates PoC exploits for Java CVEs via iterative LLM prompting with static traces and coverage feedback, yielding post-hoc valid PoCs for 12 of 20 evaluated CVEs and outperforming FaultLine on the 14-CVE overlap.

References

17 extracted · 17 resolved · 0 Pith anchors

[1] touch /tmp/ code-injected
[2] **Validation** - One *specific* programmatic check that confirms the goal (e.g., verify that ‘/tmp/code-injected‘ exists). Return exactly two sections in this format: ‘‘‘ ## Goal <goal sentence> ## Va 2017
[3] Provide **exactly one ** Java source file named ‘PoCTest.java‘ containing a public class ‘PoCTest‘ with a ‘main(String[] args)‘ method
[4] Do not rely on CLI arguments to switch behaviour; simply run the exploit path and report ‘[VULN]‘ on success
[5] ** As long as it is possible, do not import ‘java.lang.reflect
Receipt and verification
First computed 2026-05-18T02:45:05.512515Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

6e5ef534dc82a3b2d6ff4ab4badf6710763c087e54326fb9d940a1fdbfb20f61

Aliases

arxiv: 2602.04165 · arxiv_version: 2602.04165v2 · doi: 10.48550/arxiv.2602.04165 · pith_short_12: NZPPKNG4QKR3 · pith_short_16: NZPPKNG4QKR3FVX7 · pith_short_8: NZPPKNG4
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/NZPPKNG4QKR3FVX7JK2LVX3HCB \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: 6e5ef534dc82a3b2d6ff4ab4badf6710763c087e54326fb9d940a1fdbfb20f61
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "f4834a078a00646143bd9cae83e7188d1ede7c5954abda42519dc7ecf8cb2cd2",
    "cross_cats_sorted": [],
    "license": "http://creativecommons.org/licenses/by/4.0/",
    "primary_cat": "cs.SE",
    "submitted_at": "2026-02-04T02:59:03Z",
    "title_canon_sha256": "a0f1ced438f9971ae28b8fcd7beefcd773b1ba59ceb1cfae090ec8e3bf2e58ff"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2602.04165",
    "kind": "arxiv",
    "version": 2
  }
}