Automated Vulnerability Repair (AVR)
Quick Answer
Automated vulnerability repair (AVR) is the subclass of automated program repair where the input is a vulnerability signal — a CVE, sanitizer report, crash trace, or proof-of-concept exploit — and the output is a patch that must eliminate exploitability while preserving intended behavior. Modern AVR systems are increasingly agentic: they navigate the repository, build, run PoCs, fuzz, and iterate. The defining distinction from generic APR is that success is a security property, not a passing test.
Automated Vulnerability Repair (AVR)
Automated vulnerability repair (AVR) is the subclass of automated program repair (APR) where the input is a vulnerability signal — a CVE, sanitizer report, crash trace, or proof-of-concept exploit — and the output is a patch that must both eliminate exploitability and preserve intended behavior. Modern AVR systems are increasingly agentic: they search the repository, build, run PoCs, fuzz, invoke analyzers, and iterate on candidate patches. The defining distinction from generic APR is the success criterion: a passing test suite is not enough; the patch must hold against the vulnerability signal that triggered repair.
The validation gap is what makes AVR a distinct discipline. A patch that compiles, no longer reproduces the PoC, and passes existing tests can still suppress symptoms, circumvent checks, or fix the wrong root cause — the agentic patch validation paper treats this gap as the central open problem of AVR.