Model Card for Model ID

LoRA adapter for fdtn-ai/Foundation-Sec-8B-Instruct tuned for structured CVE remediation output. The model is designed to take CVE evidence and return a fixed seven-field JSON object containing severity, affected component, root cause, and remediation guidance.

Model Details

Model Description

This model is a parameter-efficient fine-tuning adapter built on top of fdtn-ai/Foundation-Sec-8B-Instruct. It is intended for structured vulnerability remediation assistance rather than open-ended chat. Given CVE evidence such as CVE ID, description, CVSS score, CWE, and affected component context, it generates a JSON response with a fixed schema:

  • cve_id
  • severity
  • affected_component
  • technical_root_cause
  • recommended_fix
  • developer_remediation_steps
  • verification_steps

The adapter was evaluated in a Colab-based external benchmark on 100 CVE examples and showed strong schema adherence and high exact-match performance on most structured fields.

  • Developed by: Ramitha Iddamalgoda
  • Funded by [optional]: Self-directed
  • Shared by [optional]: Ramitha Iddamalgoda
  • Model type: LoRA adapter for causal language modeling
  • Language(s) (NLP): English
  • License: Apache 2.0
  • Finetuned from model [optional]: fdtn-ai/Foundation-Sec-8B-Instruct

Model Sources [optional]

  • Paper [optional]: Not applicable
  • Demo [optional]: Not available

Uses

Direct Use

This adapter is intended for structured CVE remediation tasks where the input contains vulnerability evidence and the desired output is a constrained JSON object. Likely uses include:

  • vulnerability triage experiments
  • structured remediation drafting
  • evaluation workflows for CVE understanding
  • prototype security assistant pipelines

Downstream Use

This adapter can be used inside larger systems that:

  • collect CVE descriptions from vulnerability feeds
  • normalize vulnerability information into a fixed schema
  • generate remediation suggestions for analyst review
  • compare structured output quality across model variants

Out-of-Scope Use

This model should not be used as:

  • a fully autonomous security remediation engine
  • a guaranteed-safe patch recommendation system
  • a replacement for expert review in production security operations
  • a general-purpose cybersecurity assistant outside its structured CVE task

Bias, Risks, and Limitations

This model inherits limitations from the base model and from its fine-tuning data. It may produce incomplete, incorrect, outdated, or oversimplified remediation guidance. Although it performs well on the reported benchmark, the benchmark is small and not a definitive production evaluation.

Recommendations

Use this model as an assistive tool, not an authoritative source. All outputs should be reviewed by a human with security context before operational use. When reporting results, describe them as an initial external benchmark rather than a final research-grade evaluation.

How to Get Started with the Model

Use the code below to get started with the model.

from transformers import AutoModelForCausalLM, AutoTokenizer
from peft import PeftModel

base_model = "fdtn-ai/Foundation-Sec-8B-Instruct"
adapter_repo = "your-username/secfix-cve-remediation-lora"

tokenizer = AutoTokenizer.from_pretrained(adapter_repo)
model = AutoModelForCausalLM.from_pretrained(base_model, device_map="auto")
model = PeftModel.from_pretrained(model, adapter_repo)
model.eval()

Example input format:

CVE ID: CVE-2024-11773
Description: SQL injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.
CVSS Score: 9.8
CWE: CWE-89
Affected Component: Ivanti - Cloud Services Application

Expected output schema:

{
  "cve_id": "",
  "severity": "",
  "affected_component": "",
  "technical_root_cause": "",
  "recommended_fix": "",
  "developer_remediation_steps": "",
  "verification_steps": ""
}

Training Details

Training Data

The adapter was trained for structured CVE remediation tasks using public CVE-oriented datasets prepared into JSONL chat-style training rows. The broader project used public CVE records with descriptions, CVSS-derived severity information, CWE information where available, and remediation-oriented text derived from source evidence.

Datasets considered in the project included:

  • AlicanKiraz0/All-CVE-Records-Training-Dataset
  • iamthierno/cvedataset.jsonl

The final task format used a system prompt plus a user message containing CVE evidence, with the assistant target being a structured JSON object.

Training Procedure

The model was fine-tuned as a LoRA adapter over fdtn-ai/Foundation-Sec-8B-Instruct for causal language modeling.

Training Hyperparameters

  • Training regime: bf16 when supported, otherwise fp32
  • LoRA rank: 16
  • LoRA alpha: 32
  • LoRA dropout: 0.1
  • Target modules: q_proj, k_proj, v_proj, o_proj
  • Epochs: 2
  • Max sequence length: 2048
  • Learning rate: 2e-5
  • Weight decay: 0.05
  • Gradient accumulation steps: 4
  • Effective batch size: 16
  • Gradient checkpointing: enabled

Speeds, Sizes, Times

The adapter artifact is much smaller than the full base model because only LoRA parameters are stored. Evaluation and inference in Colab were performed using 4-bit loading for practical memory usage.

Evaluation

Testing Data, Factors & Metrics

Testing Data

The published benchmark was run on 200 examples sampled from:

  • AlicanKiraz0/All-CVE-Records-Training-Dataset

The reported sample used a balanced severity mix:

  • 25 Critical
  • 25 High
  • 25 Medium
  • 25 Low

Factors

The evaluation focuses on:

  • structured JSON validity
  • exact-match correctness on normalized fields
  • token overlap on short text spans
  • overlap-based quality on longer remediation text

Metrics

The evaluation used:

  • JSON validity rate
  • required key set match rate
  • field completeness
  • exact match for cve_id
  • exact match and Macro-F1 for severity
  • exact match and Token-F1 for affected_component
  • exact match, Token-F1, and CWE Macro-F1 for technical_root_cause
  • ROUGE-L for:
    • recommended_fix
    • developer_remediation_steps
    • verification_steps

BERTScore was not computed in the published run.

Results

Published benchmark results:

  • JSON validity: 0.9400
  • Required key match: 0.9400
  • Field completeness: 0.9400
  • CVE ID exact match: 0.9400
  • Severity exact match: 0.9400
  • Severity Macro-F1: 0.7748
  • Affected component exact match: 0.9400
  • Affected component Token-F1: 0.9400
  • Technical root cause exact match: 0.9400
  • Technical root cause Token-F1: 0.9400
  • Technical root cause CWE Macro-F1: 0.9062
  • Recommended fix ROUGE-L: 0.9367
  • Developer remediation ROUGE-L: 0.9228
  • Verification steps ROUGE-L: 0.9400

Summary

On the published 100-example Colab benchmark, the adapter showed strong schema adherence and high exact-match performance across most structured fields. The weakest reported metric is severity Macro-F1, which suggests that the remaining errors are concentrated in a subset of severity classes rather than evenly distributed.

Technical Specifications [optional]

Model Architecture and Objective

[More Information Needed]

Compute Infrastructure

Training used NVIDIA MI300X VRAM and Google Colab for testing.

Hardware

  • NVIDIA MI300X VRAM for training
  • Google Colab T4 GPU for evaluation

Software

  • Transformers
  • PEFT
  • PyTorch
  • Hugging Face Hub
  • rouge-score
  • scikit-learn

Citation [optional]

BibTeX:

@misc{secfix_lora_adapter,
  title={SecFix CVE Remediation LoRA Adapter},
  author={Ramitha},
  year={2026},
  howpublished={Hugging Face model repository}
}

APA:

Iddamalgoda, I. H. R. P. (2026). SecFix CVE Remediation LoRA Adapter [LoRA adapter]. Hugging Face.

Glossary

  • CVE: Common Vulnerabilities and Exposures identifier
  • CWE: Common Weakness Enumeration label
  • LoRA: Low-Rank Adaptation, a parameter-efficient fine-tuning method
  • ROUGE-L: Longest-common-subsequence overlap metric for generated text
  • Macro-F1: Class-balanced F1 score across labels

Framework versions

  • PEFT 0.19.1
Downloads last month
1
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support

Model tree for ramitha2002/SecFix-CVE-Remediation

Adapter
(1)
this model