{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2026:W6WHITPBA4TMAQRKMG5NTAJFJV","short_pith_number":"pith:W6WHITPB","canonical_record":{"source":{"id":"2606.28125","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.SE","submitted_at":"2026-06-26T14:26:13Z","cross_cats_sorted":["cs.CR"],"title_canon_sha256":"8b376114a876eefc896ae932d2b954bd43edf1b8f9889822b3ab403a20a67ff3","abstract_canon_sha256":"3b18a3d1a6775a8f54e894daa494b911ce88824385da109d427de94f15bfd5b3"},"schema_version":"1.0"},"canonical_sha256":"b7ac744de10726c0422a61bad981254d5990812e318f37536b049f8fde842120","source":{"kind":"arxiv","id":"2606.28125","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2606.28125","created_at":"2026-06-29T01:15:06Z"},{"alias_kind":"arxiv_version","alias_value":"2606.28125v1","created_at":"2026-06-29T01:15:06Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2606.28125","created_at":"2026-06-29T01:15:06Z"},{"alias_kind":"pith_short_12","alias_value":"W6WHITPBA4TM","created_at":"2026-06-29T01:15:06Z"},{"alias_kind":"pith_short_16","alias_value":"W6WHITPBA4TMAQRK","created_at":"2026-06-29T01:15:06Z"},{"alias_kind":"pith_short_8","alias_value":"W6WHITPB","created_at":"2026-06-29T01:15:06Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2026:W6WHITPBA4TMAQRKMG5NTAJFJV","target":"record","payload":{"canonical_record":{"source":{"id":"2606.28125","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.SE","submitted_at":"2026-06-26T14:26:13Z","cross_cats_sorted":["cs.CR"],"title_canon_sha256":"8b376114a876eefc896ae932d2b954bd43edf1b8f9889822b3ab403a20a67ff3","abstract_canon_sha256":"3b18a3d1a6775a8f54e894daa494b911ce88824385da109d427de94f15bfd5b3"},"schema_version":"1.0"},"canonical_sha256":"b7ac744de10726c0422a61bad981254d5990812e318f37536b049f8fde842120","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-06-29T01:15:06.744437Z","signature_b64":"eXc0VsTgwsg3MzALcjGWt/hfXAAemk+yZWaQC8w3gP092usSk2eLsWSmSnf9v/EGmeS4IgrJigFjZa2nsnOLCA==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"b7ac744de10726c0422a61bad981254d5990812e318f37536b049f8fde842120","last_reissued_at":"2026-06-29T01:15:06.743957Z","signature_status":"signed_v1","first_computed_at":"2026-06-29T01:15:06.743957Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2606.28125","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-06-29T01:15:06Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"4uHZ9bIqW3+lbx0WOZJSIpTJtKDHY5bW8GQ0UeDDL24pGNlDhT9uq6bSkqN2f/ckMMpLqIizW0LySJyx0c9eCw==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-29T19:43:06.252330Z"},"content_sha256":"e180d9dd09393076b974a4dbfb81048e0e76a904e7834fbae286c3f43edbb672","schema_version":"1.0","event_id":"sha256:e180d9dd09393076b974a4dbfb81048e0e76a904e7834fbae286c3f43edbb672"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2026:W6WHITPBA4TMAQRKMG5NTAJFJV","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"How Humans, Bots, and Agents Communicate About Vulnerabilities in Pull Requests","license":"http://creativecommons.org/licenses/by/4.0/","headline":"","cross_cats":["cs.CR"],"primary_cat":"cs.SE","authors_text":"Christoph Treude, Mairieli Wessel, Pien Rooijendijk","submitted_at":"2026-06-26T14:26:13Z","abstract_excerpt":"Developers may reference vulnerabilities in pull request discussions through both explicit identifiers, such as CVEs or GHSAs, and implicit security-related language (e.g., \"unauthorized access\" or \"SQL injection\"). Prior work has primarily focused on explicit identifiers, potentially overlooking vulnerability discussions that lack formal references. Bots and coding agents are becoming more common in pull requests, raising new questions about how different accounts communicate about vulnerabilities. In this registered report, we describe our planned study of vulnerability communication in pull"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2606.28125","kind":"arxiv","version":1},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2606.28125/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-06-29T01:15:06Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"1f8I/df6JXwGDKD/Y3qV6OdfWA+mH3rookewTv1hUMHqRmBx2AfPBocjDpZv2O4HpEBs7zWpYCoCGbmm5+0kCA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-29T19:43:06.252700Z"},"content_sha256":"e222b5235ee4b8b7e6d0bead33ae5071ce6644b98268a2a5a9be447a1423b668","schema_version":"1.0","event_id":"sha256:e222b5235ee4b8b7e6d0bead33ae5071ce6644b98268a2a5a9be447a1423b668"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/W6WHITPBA4TMAQRKMG5NTAJFJV/bundle.json","state_url":"https://pith.science/pith/W6WHITPBA4TMAQRKMG5NTAJFJV/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/W6WHITPBA4TMAQRKMG5NTAJFJV/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-29T19:43:06Z","links":{"resolver":"https://pith.science/pith/W6WHITPBA4TMAQRKMG5NTAJFJV","bundle":"https://pith.science/pith/W6WHITPBA4TMAQRKMG5NTAJFJV/bundle.json","state":"https://pith.science/pith/W6WHITPBA4TMAQRKMG5NTAJFJV/state.json","well_known_bundle":"https://pith.science/.well-known/pith/W6WHITPBA4TMAQRKMG5NTAJFJV/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:W6WHITPBA4TMAQRKMG5NTAJFJV","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"3b18a3d1a6775a8f54e894daa494b911ce88824385da109d427de94f15bfd5b3","cross_cats_sorted":["cs.CR"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.SE","submitted_at":"2026-06-26T14:26:13Z","title_canon_sha256":"8b376114a876eefc896ae932d2b954bd43edf1b8f9889822b3ab403a20a67ff3"},"schema_version":"1.0","source":{"id":"2606.28125","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2606.28125","created_at":"2026-06-29T01:15:06Z"},{"alias_kind":"arxiv_version","alias_value":"2606.28125v1","created_at":"2026-06-29T01:15:06Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2606.28125","created_at":"2026-06-29T01:15:06Z"},{"alias_kind":"pith_short_12","alias_value":"W6WHITPBA4TM","created_at":"2026-06-29T01:15:06Z"},{"alias_kind":"pith_short_16","alias_value":"W6WHITPBA4TMAQRK","created_at":"2026-06-29T01:15:06Z"},{"alias_kind":"pith_short_8","alias_value":"W6WHITPB","created_at":"2026-06-29T01:15:06Z"}],"graph_snapshots":[{"event_id":"sha256:e222b5235ee4b8b7e6d0bead33ae5071ce6644b98268a2a5a9be447a1423b668","target":"graph","created_at":"2026-06-29T01:15:06Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"integrity":{"available":true,"clean":true,"detectors_run":[],"endpoint":"/pith/2606.28125/integrity.json","findings":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938","summary":{"advisory":0,"by_detector":{},"critical":0,"informational":0}},"paper":{"abstract_excerpt":"Developers may reference vulnerabilities in pull request discussions through both explicit identifiers, such as CVEs or GHSAs, and implicit security-related language (e.g., \"unauthorized access\" or \"SQL injection\"). Prior work has primarily focused on explicit identifiers, potentially overlooking vulnerability discussions that lack formal references. Bots and coding agents are becoming more common in pull requests, raising new questions about how different accounts communicate about vulnerabilities. In this registered report, we describe our planned study of vulnerability communication in pull","authors_text":"Christoph Treude, Mairieli Wessel, Pien Rooijendijk","cross_cats":["cs.CR"],"headline":"","license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.SE","submitted_at":"2026-06-26T14:26:13Z","title":"How Humans, Bots, and Agents Communicate About Vulnerabilities in Pull Requests"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2606.28125","kind":"arxiv","version":1},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:e180d9dd09393076b974a4dbfb81048e0e76a904e7834fbae286c3f43edbb672","target":"record","created_at":"2026-06-29T01:15:06Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"3b18a3d1a6775a8f54e894daa494b911ce88824385da109d427de94f15bfd5b3","cross_cats_sorted":["cs.CR"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.SE","submitted_at":"2026-06-26T14:26:13Z","title_canon_sha256":"8b376114a876eefc896ae932d2b954bd43edf1b8f9889822b3ab403a20a67ff3"},"schema_version":"1.0","source":{"id":"2606.28125","kind":"arxiv","version":1}},"canonical_sha256":"b7ac744de10726c0422a61bad981254d5990812e318f37536b049f8fde842120","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"b7ac744de10726c0422a61bad981254d5990812e318f37536b049f8fde842120","first_computed_at":"2026-06-29T01:15:06.743957Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-06-29T01:15:06.743957Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"eXc0VsTgwsg3MzALcjGWt/hfXAAemk+yZWaQC8w3gP092usSk2eLsWSmSnf9v/EGmeS4IgrJigFjZa2nsnOLCA==","signature_status":"signed_v1","signed_at":"2026-06-29T01:15:06.744437Z","signed_message":"canonical_sha256_bytes"},"source_id":"2606.28125","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:e180d9dd09393076b974a4dbfb81048e0e76a904e7834fbae286c3f43edbb672","sha256:e222b5235ee4b8b7e6d0bead33ae5071ce6644b98268a2a5a9be447a1423b668"],"state_sha256":"a777f94929aa908885078920c87b26b175723bd802c3b359ed4d16f6fa6d603e"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"o3XeeMI0EwVNqNuvopN2qzprncxIu/f0M8bcHSZHhHO8zB8Y/JpY6s1ECRr05yif/6sMWuBgu8yYcrCdWvBzAw==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-29T19:43:06.254764Z","bundle_sha256":"bda5a1deca8f10b5b824fa15d792b01f5732606791a1533a201640968781a609"}}