Hugging Face's logo

exploitintel
/
cve-cwe-gemma4-12b

Text Generation
Transformers
Safetensors
English
gemma4_unified
image-text-to-text
cybersecurity
cve
cwe
vulnerability
text-classification
gemma4
qlora
conversational
Model card Files
xet
 Community
exploitintel commited on
Commit
780995b
·
verified ·
1 Parent(s): f26fb88

Upload blog.md with huggingface_hub

Browse files
Files changed (1) hide show
  1. blog.md +15 -1
blog.md CHANGED
@@ -4,6 +4,20 @@
4
 
5
  ---
6
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
7
  ## Everyone has met this intern
8
 
9
  You know the type. Razor-sharp, eager, genuinely knows the material — and constitutionally incapable of answering a yes-or-no question without a TED talk. Ask where the printer is and you get a history of toner.
@@ -159,6 +173,6 @@ None of these were hard once spotted. Every one of them was invisible until we t
159
  - **Macro-F1 is the honest metric for long-tail problems.** It's where v1 failed (0.067), where v2 won (0.500), and where quantization quietly bills you. Report only accuracy and you'd miss all three stories. Pick the metric that can embarrass you.
160
  - **Verify the unglamorous things.** Our scariest near-miss wasn't a subtle modeling error; it was a 640 MB file wearing a 12 GB model's name tag. Half of doing this honestly is making sure the thing under test is the thing you think it is — and that one flattering average isn't hiding a dead tail.
161
 
162
- The result is a small, fast, refreshingly tight-lipped tool: feed it a messy CVE description, get back a clean set of CWE IDs, in eleven tokens, more reliably than the far chattier model it was carved from. It's not a replacement for a human analyst — it still fumbles the deepest multi-label chains, and it's a triage aid, not an oracle. But for anyone with more bug reports to map than hours to map them, it's a real extra pair of hands. A tireless triage nurse who, at long last, has learned to stop explaining.
163
 
164
  *Grab it: [full model](https://huggingface.co/exploitintel/cve-cwe-gemma4-12b) · [quantized for laptops](https://huggingface.co/exploitintel/cve-cwe-gemma4-12b-GGUF) · [the dataset we trained on](https://huggingface.co/datasets/exploitintel/cve-cwe-consensus)*
 
4
 
5
  ---
6
 
7
+ ## The problem: a flood of bugs, and nobody to file them
8
+
9
+ Every year the world logs tens of thousands of new software vulnerabilities. Each one gets a **CVE** — a public record stating that one specific thing is broken in one specific product — and the count climbs relentlessly. In 2024 it climbed straight into a wall: the U.S. National Vulnerability Database, the clearinghouse that *enriches* those raw records with structured metadata, fell dramatically behind, leaving a mountain of CVEs with a description and little else attached.
10
+
11
+ One of the most valuable pieces of that "little else" is the **CWE** — the weakness category, the answer to *what kind of mistake was this?* (Full definition in a moment.) Without it, a vulnerability is an isolated anecdote. With it, you can do the work that actually matters: notice a vendor shipping the same class of bug over and over, prioritize the weaknesses that genuinely threaten you, measure whether your defenses are improving, and tie a brand-new CVE to everything you already know about that failure mode.
12
+
13
+ But assigning a CWE is slow, manual, and inconsistent. Different analysts reach for different categories; many CVEs never receive a dependable mapping at all; and the boundaries between categories are subtle enough to start arguments among experts. Meanwhile the backlog only grows.
14
+
15
+ This is exactly our problem at **[exploit-intel.com](https://exploit-intel.com)**. We take in the entire CVE firehose and turn it into usable intelligence — and that depends on every incoming vulnerability being tagged with its weakness category *consistently, immediately, and without waiting in anyone else's queue.* At this volume, by hand, that's hopeless. We needed a classifier of our own: something that reads a raw CVE description and reliably names the CWE(s), at scale, on our own infrastructure.
16
+
17
+ The obvious move in 2026 is to point a capable language model at the job. So we did — and immediately met an old friend.
18
+
19
+ ---
20
+
21
  ## Everyone has met this intern
22
 
23
  You know the type. Razor-sharp, eager, genuinely knows the material — and constitutionally incapable of answering a yes-or-no question without a TED talk. Ask where the printer is and you get a history of toner.
 
173
  - **Macro-F1 is the honest metric for long-tail problems.** It's where v1 failed (0.067), where v2 won (0.500), and where quantization quietly bills you. Report only accuracy and you'd miss all three stories. Pick the metric that can embarrass you.
174
  - **Verify the unglamorous things.** Our scariest near-miss wasn't a subtle modeling error; it was a 640 MB file wearing a 12 GB model's name tag. Half of doing this honestly is making sure the thing under test is the thing you think it is — and that one flattering average isn't hiding a dead tail.
175
 
176
+ The result is a small, fast, refreshingly tight-lipped tool: feed it a messy CVE description, get back a clean set of CWE IDs, in eleven tokens, more reliably than the far chattier model it was carved from. It's not a replacement for a human analyst — it still fumbles the deepest multi-label chains, and it's a triage aid, not an oracle. But for us at exploit-intel.com it closes the exact gap we started with: every CVE that lands in the pipeline gets its weakness category the moment it arrives — on our own hardware, in eleven tokens, with no backlog and nobody else's queue to wait on. And for anyone else with more bug reports to map than hours to map them, it's a real extra pair of hands. A tireless triage nurse who, at long last, has learned to stop explaining.
177
 
178
  *Grab it: [full model](https://huggingface.co/exploitintel/cve-cwe-gemma4-12b) · [quantized for laptops](https://huggingface.co/exploitintel/cve-cwe-gemma4-12b-GGUF) · [the dataset we trained on](https://huggingface.co/datasets/exploitintel/cve-cwe-consensus)*