{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2026:NZPPKNG4QKR3FVX7JK2LVX3HCB","short_pith_number":"pith:NZPPKNG4","schema_version":"1.0","canonical_sha256":"6e5ef534dc82a3b2d6ff4ab4badf6710763c087e54326fb9d940a1fdbfb20f61","source":{"kind":"arxiv","id":"2602.04165","version":2},"attestation_state":"computed","paper":{"title":"PoC-Gym: Towards More Reliable LLM-Assisted Proof-of-Concept Exploit Generation","license":"http://creativecommons.org/licenses/by/4.0/","headline":"PoC-Gym generates post-hoc valid PoCs for 12 of 20 Java CVEs by requiring candidates to reach ground-truth vulnerable locations.","cross_cats":[],"primary_cat":"cs.SE","authors_text":"Amartya Das, Claire Wang, Derin Gezgin, Nevena Stojkovic, Shinhae Kim, Zhengdong Huang","submitted_at":"2026-02-04T02:59:03Z","abstract_excerpt":"Recently Large Language Models (LLMs) have been used in security-related tasks, including generating proof-of-concept (PoC) exploits. Several LLM-assisted approaches have been proposed; they typically generate PoCs from vulnerability descriptions and use additional guidance. But, such approaches are often ineffective because the signals-such as printed markers, generated files, or runtime side effects-that they use for validation may not imply that the vulnerability is triggered. Research for more reliable PoC generation is in need but yet remains challenging. We propose PoC-Gym, a pipeline fo"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":true,"formal_links_present":false},"canonical_record":{"source":{"id":"2602.04165","kind":"arxiv","version":2},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.SE","submitted_at":"2026-02-04T02:59:03Z","cross_cats_sorted":[],"title_canon_sha256":"a0f1ced438f9971ae28b8fcd7beefcd773b1ba59ceb1cfae090ec8e3bf2e58ff","abstract_canon_sha256":"f4834a078a00646143bd9cae83e7188d1ede7c5954abda42519dc7ecf8cb2cd2"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-18T02:45:05.513113Z","signature_b64":"vIJrSLE3uaqxk9h6Gv7oSEKlFQ+Tnpt8YKqQWR1E6sK0McA9ANhxqEC0pVQOarmmaydK+togesd1s4BmEH/5DA==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"6e5ef534dc82a3b2d6ff4ab4badf6710763c087e54326fb9d940a1fdbfb20f61","last_reissued_at":"2026-05-18T02:45:05.512515Z","signature_status":"signed_v1","first_computed_at":"2026-05-18T02:45:05.512515Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"PoC-Gym: Towards More Reliable LLM-Assisted Proof-of-Concept Exploit Generation","license":"http://creativecommons.org/licenses/by/4.0/","headline":"PoC-Gym generates post-hoc valid PoCs for 12 of 20 Java CVEs by requiring candidates to reach ground-truth vulnerable locations.","cross_cats":[],"primary_cat":"cs.SE","authors_text":"Amartya Das, Claire Wang, Derin Gezgin, Nevena Stojkovic, Shinhae Kim, Zhengdong Huang","submitted_at":"2026-02-04T02:59:03Z","abstract_excerpt":"Recently Large Language Models (LLMs) have been used in security-related tasks, including generating proof-of-concept (PoC) exploits. Several LLM-assisted approaches have been proposed; they typically generate PoCs from vulnerability descriptions and use additional guidance. But, such approaches are often ineffective because the signals-such as printed markers, generated files, or runtime side effects-that they use for validation may not imply that the vulnerability is triggered. Research for more reliable PoC generation is in need but yet remains challenging. We propose PoC-Gym, a pipeline fo"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"Across 338 runs on 20 Java CVEs, PoC-Gym produces 65 post-hoc valid PoCs covering 12 CVEs; on the 14-CVE overlap with FaultLine the strongest configuration succeeds on 8 CVEs versus FaultLine's 5.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That reaching the ground-truth vulnerable location after a runtime-valid execution is sufficient evidence that the PoC actually triggers the reported vulnerability rather than an unrelated path.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"PoC-Gym generates PoC exploits for Java CVEs via iterative LLM prompting with static traces and coverage feedback, yielding post-hoc valid PoCs for 12 of 20 evaluated CVEs and outperforming FaultLine on the 14-CVE overlap.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"PoC-Gym generates post-hoc valid PoCs for 12 of 20 Java CVEs by requiring candidates to reach ground-truth vulnerable locations.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"bc1dd8095b36f178e0898cd757226a573e51ed53cb5a8c177b2479005faa8c96"},"source":{"id":"2602.04165","kind":"arxiv","version":2},"verdict":{"id":"263be721-1516-484f-bb0e-b82c2a7d883b","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-16T08:01:56.892069Z","strongest_claim":"Across 338 runs on 20 Java CVEs, PoC-Gym produces 65 post-hoc valid PoCs covering 12 CVEs; on the 14-CVE overlap with FaultLine the strongest configuration succeeds on 8 CVEs versus FaultLine's 5.","one_line_summary":"PoC-Gym generates PoC exploits for Java CVEs via iterative LLM prompting with static traces and coverage feedback, yielding post-hoc valid PoCs for 12 of 20 evaluated CVEs and outperforming FaultLine on the 14-CVE overlap.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That reaching the ground-truth vulnerable location after a runtime-valid execution is sufficient evidence that the PoC actually triggers the reported vulnerability rather than an unrelated path.","pith_extraction_headline":"PoC-Gym generates post-hoc valid PoCs for 12 of 20 Java CVEs by requiring candidates to reach ground-truth vulnerable locations."},"references":{"count":17,"sample":[{"doi":"","year":null,"title":"touch /tmp/ code-injected","work_id":"5dbad851-e464-4792-94b5-3fc942dcca8f","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2017,"title":"**Validation** - One *specific* programmatic check that confirms the goal (e.g., verify that ‘/tmp/code-injected‘ exists). Return exactly two sections in this format: ‘‘‘ ## Goal <goal sentence> ## Va","work_id":"06b1bf2e-7554-4848-b712-fd87c165cd4a","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Provide **exactly one ** Java source file named ‘PoCTest.java‘ containing a public class ‘PoCTest‘ with a ‘main(String[] args)‘ method","work_id":"53bd4235-95ee-4fb7-88f2-60c16ea4980e","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Do not rely on CLI arguments to switch behaviour; simply run the exploit path and report ‘[VULN]‘ on success","work_id":"d2c3811f-592e-499e-a78d-78ff44d58e5e","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"** As long as it is possible, do not import ‘java.lang.reflect","work_id":"a598a6e8-f82d-477a-a7d8-63661d3ffe7d","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":17,"snapshot_sha256":"0844c30d9cf19d028eefa25bc38b97afb8581c6510186bc16d3cfd5278e13be9","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2602.04165","created_at":"2026-05-18T02:45:05.512595+00:00"},{"alias_kind":"arxiv_version","alias_value":"2602.04165v2","created_at":"2026-05-18T02:45:05.512595+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2602.04165","created_at":"2026-05-18T02:45:05.512595+00:00"},{"alias_kind":"pith_short_12","alias_value":"NZPPKNG4QKR3","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_16","alias_value":"NZPPKNG4QKR3FVX7","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_8","alias_value":"NZPPKNG4","created_at":"2026-05-18T12:33:37.589309+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":0,"internal_anchor_count":0,"sample":[]},"formal_canon":{"evidence_count":0,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/NZPPKNG4QKR3FVX7JK2LVX3HCB","json":"https://pith.science/pith/NZPPKNG4QKR3FVX7JK2LVX3HCB.json","graph_json":"https://pith.science/api/pith-number/NZPPKNG4QKR3FVX7JK2LVX3HCB/graph.json","events_json":"https://pith.science/api/pith-number/NZPPKNG4QKR3FVX7JK2LVX3HCB/events.json","paper":"https://pith.science/paper/NZPPKNG4"},"agent_actions":{"view_html":"https://pith.science/pith/NZPPKNG4QKR3FVX7JK2LVX3HCB","download_json":"https://pith.science/pith/NZPPKNG4QKR3FVX7JK2LVX3HCB.json","view_paper":"https://pith.science/paper/NZPPKNG4","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2602.04165&json=true","fetch_graph":"https://pith.science/api/pith-number/NZPPKNG4QKR3FVX7JK2LVX3HCB/graph.json","fetch_events":"https://pith.science/api/pith-number/NZPPKNG4QKR3FVX7JK2LVX3HCB/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/NZPPKNG4QKR3FVX7JK2LVX3HCB/action/timestamp_anchor","attest_storage":"https://pith.science/pith/NZPPKNG4QKR3FVX7JK2LVX3HCB/action/storage_attestation","attest_author":"https://pith.science/pith/NZPPKNG4QKR3FVX7JK2LVX3HCB/action/author_attestation","sign_citation":"https://pith.science/pith/NZPPKNG4QKR3FVX7JK2LVX3HCB/action/citation_signature","submit_replication":"https://pith.science/pith/NZPPKNG4QKR3FVX7JK2LVX3HCB/action/replication_record"}},"created_at":"2026-05-18T02:45:05.512595+00:00","updated_at":"2026-05-18T02:45:05.512595+00:00"}