Text Generation
PEFT
Safetensors
Transformers
lora
cybersecurity
vulnerability-remediation
cve
conversational
Instructions to use ramitha2002/SecFix-CVE-Remediation with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- PEFT
How to use ramitha2002/SecFix-CVE-Remediation with PEFT:
from peft import PeftModel from transformers import AutoModelForCausalLM base_model = AutoModelForCausalLM.from_pretrained("fdtn-ai/Foundation-Sec-8B-Instruct") model = PeftModel.from_pretrained(base_model, "ramitha2002/SecFix-CVE-Remediation") - Transformers
How to use ramitha2002/SecFix-CVE-Remediation with Transformers:
# Use a pipeline as a high-level helper from transformers import pipeline pipe = pipeline("text-generation", model="ramitha2002/SecFix-CVE-Remediation") messages = [ {"role": "user", "content": "Who are you?"}, ] pipe(messages)# Load model directly from transformers import AutoModel model = AutoModel.from_pretrained("ramitha2002/SecFix-CVE-Remediation", dtype="auto") - Notebooks
- Google Colab
- Kaggle
- Local Apps Settings
- vLLM
How to use ramitha2002/SecFix-CVE-Remediation with vLLM:
Install from pip and serve model
# Install vLLM from pip: pip install vllm # Start the vLLM server: vllm serve "ramitha2002/SecFix-CVE-Remediation" # Call the server using curl (OpenAI-compatible API): curl -X POST "http://localhost:8000/v1/chat/completions" \ -H "Content-Type: application/json" \ --data '{ "model": "ramitha2002/SecFix-CVE-Remediation", "messages": [ { "role": "user", "content": "What is the capital of France?" } ] }'Use Docker
docker model run hf.co/ramitha2002/SecFix-CVE-Remediation
- SGLang
How to use ramitha2002/SecFix-CVE-Remediation with SGLang:
Install from pip and serve model
# Install SGLang from pip: pip install sglang # Start the SGLang server: python3 -m sglang.launch_server \ --model-path "ramitha2002/SecFix-CVE-Remediation" \ --host 0.0.0.0 \ --port 30000 # Call the server using curl (OpenAI-compatible API): curl -X POST "http://localhost:30000/v1/chat/completions" \ -H "Content-Type: application/json" \ --data '{ "model": "ramitha2002/SecFix-CVE-Remediation", "messages": [ { "role": "user", "content": "What is the capital of France?" } ] }'Use Docker images
docker run --gpus all \ --shm-size 32g \ -p 30000:30000 \ -v ~/.cache/huggingface:/root/.cache/huggingface \ --env "HF_TOKEN=<secret>" \ --ipc=host \ lmsysorg/sglang:latest \ python3 -m sglang.launch_server \ --model-path "ramitha2002/SecFix-CVE-Remediation" \ --host 0.0.0.0 \ --port 30000 # Call the server using curl (OpenAI-compatible API): curl -X POST "http://localhost:30000/v1/chat/completions" \ -H "Content-Type: application/json" \ --data '{ "model": "ramitha2002/SecFix-CVE-Remediation", "messages": [ { "role": "user", "content": "What is the capital of France?" } ] }' - Docker Model Runner
How to use ramitha2002/SecFix-CVE-Remediation with Docker Model Runner:
docker model run hf.co/ramitha2002/SecFix-CVE-Remediation
| base_model: fdtn-ai/Foundation-Sec-8B-Instruct | |
| library_name: peft | |
| pipeline_tag: text-generation | |
| tags: | |
| - base_model:adapter:fdtn-ai/Foundation-Sec-8B-Instruct | |
| - lora | |
| - transformers | |
| - cybersecurity | |
| - vulnerability-remediation | |
| - cve | |
| # Model Card for Model ID | |
| LoRA adapter for `fdtn-ai/Foundation-Sec-8B-Instruct` tuned for structured CVE remediation output. The model is designed to take CVE evidence and return a fixed seven-field JSON object containing severity, affected component, root cause, and remediation guidance. | |
| ## Model Details | |
| ### Model Description | |
| This model is a parameter-efficient fine-tuning adapter built on top of `fdtn-ai/Foundation-Sec-8B-Instruct`. It is intended for structured vulnerability remediation assistance rather than open-ended chat. Given CVE evidence such as CVE ID, description, CVSS score, CWE, and affected component context, it generates a JSON response with a fixed schema: | |
| - `cve_id` | |
| - `severity` | |
| - `affected_component` | |
| - `technical_root_cause` | |
| - `recommended_fix` | |
| - `developer_remediation_steps` | |
| - `verification_steps` | |
| The adapter was evaluated in a Colab-based external benchmark on 100 CVE examples and showed strong schema adherence and high exact-match performance on most structured fields. | |
| - **Developed by:** Ramitha Iddamalgoda | |
| - **Funded by [optional]:** Self-directed | |
| - **Shared by [optional]:** Ramitha Iddamalgoda | |
| - **Model type:** LoRA adapter for causal language modeling | |
| - **Language(s) (NLP):** English | |
| - **License:** Apache 2.0 | |
| - **Finetuned from model [optional]:** `fdtn-ai/Foundation-Sec-8B-Instruct` | |
| ### Model Sources [optional] | |
| - **Paper [optional]:** Not applicable | |
| - **Demo [optional]:** Not available | |
| ## Uses | |
| ### Direct Use | |
| This adapter is intended for structured CVE remediation tasks where the input contains vulnerability evidence and the desired output is a constrained JSON object. Likely uses include: | |
| - vulnerability triage experiments | |
| - structured remediation drafting | |
| - evaluation workflows for CVE understanding | |
| - prototype security assistant pipelines | |
| ### Downstream Use | |
| This adapter can be used inside larger systems that: | |
| - collect CVE descriptions from vulnerability feeds | |
| - normalize vulnerability information into a fixed schema | |
| - generate remediation suggestions for analyst review | |
| - compare structured output quality across model variants | |
| ### Out-of-Scope Use | |
| This model should not be used as: | |
| - a fully autonomous security remediation engine | |
| - a guaranteed-safe patch recommendation system | |
| - a replacement for expert review in production security operations | |
| - a general-purpose cybersecurity assistant outside its structured CVE task | |
| ## Bias, Risks, and Limitations | |
| This model inherits limitations from the base model and from its fine-tuning data. It may produce incomplete, incorrect, outdated, or oversimplified remediation guidance. Although it performs well on the reported benchmark, the benchmark is small and not a definitive production evaluation. | |
| ### Recommendations | |
| Use this model as an assistive tool, not an authoritative source. All outputs should be reviewed by a human with security context before operational use. When reporting results, describe them as an initial external benchmark rather than a final research-grade evaluation. | |
| ## How to Get Started with the Model | |
| Use the code below to get started with the model. | |
| ```python | |
| from transformers import AutoModelForCausalLM, AutoTokenizer | |
| from peft import PeftModel | |
| base_model = "fdtn-ai/Foundation-Sec-8B-Instruct" | |
| adapter_repo = "your-username/secfix-cve-remediation-lora" | |
| tokenizer = AutoTokenizer.from_pretrained(adapter_repo) | |
| model = AutoModelForCausalLM.from_pretrained(base_model, device_map="auto") | |
| model = PeftModel.from_pretrained(model, adapter_repo) | |
| model.eval() | |
| ``` | |
| Example input format: | |
| ``` | |
| CVE ID: CVE-2024-11773 | |
| Description: SQL injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements. | |
| CVSS Score: 9.8 | |
| CWE: CWE-89 | |
| Affected Component: Ivanti - Cloud Services Application | |
| ``` | |
| Expected output schema: | |
| ``` | |
| { | |
| "cve_id": "", | |
| "severity": "", | |
| "affected_component": "", | |
| "technical_root_cause": "", | |
| "recommended_fix": "", | |
| "developer_remediation_steps": "", | |
| "verification_steps": "" | |
| } | |
| ``` | |
| ## Training Details | |
| ### Training Data | |
| The adapter was trained for structured CVE remediation tasks using public CVE-oriented datasets prepared into JSONL chat-style training rows. The broader project used public CVE records with descriptions, CVSS-derived severity information, CWE information where available, and remediation-oriented text derived from source evidence. | |
| Datasets considered in the project included: | |
| - AlicanKiraz0/All-CVE-Records-Training-Dataset | |
| - iamthierno/cvedataset.jsonl | |
| The final task format used a system prompt plus a user message containing CVE evidence, with the assistant target being a structured JSON object. | |
| ### Training Procedure | |
| The model was fine-tuned as a LoRA adapter over fdtn-ai/Foundation-Sec-8B-Instruct for causal language modeling. | |
| #### Training Hyperparameters | |
| - **Training regime:** bf16 when supported, otherwise fp32 | |
| - **LoRA rank:** 16 | |
| - **LoRA alpha:** 32 | |
| - **LoRA dropout:** 0.1 | |
| - **Target modules:** `q_proj`, `k_proj`, `v_proj`, `o_proj` | |
| - **Epochs:** 2 | |
| - **Max sequence length:** 2048 | |
| - **Learning rate:** 2e-5 | |
| - **Weight decay:** 0.05 | |
| - **Gradient accumulation steps:** 4 | |
| - **Effective batch size:** 16 | |
| - **Gradient checkpointing:** enabled | |
| #### Speeds, Sizes, Times | |
| The adapter artifact is much smaller than the full base model because only LoRA parameters are stored. Evaluation and inference in Colab were performed using 4-bit loading for practical memory usage. | |
| ## Evaluation | |
| ### Testing Data, Factors & Metrics | |
| #### Testing Data | |
| The published benchmark was run on 200 examples sampled from: | |
| - `AlicanKiraz0/All-CVE-Records-Training-Dataset` | |
| The reported sample used a balanced severity mix: | |
| - 25 Critical | |
| - 25 High | |
| - 25 Medium | |
| - 25 Low | |
| #### Factors | |
| The evaluation focuses on: | |
| - structured JSON validity | |
| - exact-match correctness on normalized fields | |
| - token overlap on short text spans | |
| - overlap-based quality on longer remediation text | |
| #### Metrics | |
| The evaluation used: | |
| - JSON validity rate | |
| - required key set match rate | |
| - field completeness | |
| - exact match for `cve_id` | |
| - exact match and Macro-F1 for `severity` | |
| - exact match and Token-F1 for `affected_component` | |
| - exact match, Token-F1, and CWE Macro-F1 for `technical_root_cause` | |
| - ROUGE-L for: | |
| - `recommended_fix` | |
| - `developer_remediation_steps` | |
| - `verification_steps` | |
| BERTScore was not computed in the published run. | |
| ### Results | |
| Published benchmark results: | |
| - JSON validity: `0.9400` | |
| - Required key match: `0.9400` | |
| - Field completeness: `0.9400` | |
| - CVE ID exact match: `0.9400` | |
| - Severity exact match: `0.9400` | |
| - Severity Macro-F1: `0.7748` | |
| - Affected component exact match: `0.9400` | |
| - Affected component Token-F1: `0.9400` | |
| - Technical root cause exact match: `0.9400` | |
| - Technical root cause Token-F1: `0.9400` | |
| - Technical root cause CWE Macro-F1: `0.9062` | |
| - Recommended fix ROUGE-L: `0.9367` | |
| - Developer remediation ROUGE-L: `0.9228` | |
| - Verification steps ROUGE-L: `0.9400` | |
| #### Summary | |
| On the published 100-example Colab benchmark, the adapter showed strong schema adherence and high exact-match performance across most structured fields. The weakest reported metric is severity Macro-F1, which suggests that the remaining errors are concentrated in a subset of severity classes rather than evenly distributed. | |
| ## Technical Specifications [optional] | |
| ### Model Architecture and Objective | |
| [More Information Needed] | |
| ### Compute Infrastructure | |
| Training used NVIDIA MI300X VRAM and Google Colab for testing. | |
| #### Hardware | |
| - NVIDIA MI300X VRAM for training | |
| - Google Colab T4 GPU for evaluation | |
| #### Software | |
| - Transformers | |
| - PEFT | |
| - PyTorch | |
| - Hugging Face Hub | |
| - rouge-score | |
| - scikit-learn | |
| ## Citation [optional] | |
| **BibTeX:** | |
| ```bibtex | |
| @misc{secfix_lora_adapter, | |
| title={SecFix CVE Remediation LoRA Adapter}, | |
| author={Ramitha}, | |
| year={2026}, | |
| howpublished={Hugging Face model repository} | |
| } | |
| ``` | |
| **APA:** | |
| Iddamalgoda, I. H. R. P. (2026). *SecFix CVE Remediation LoRA Adapter* [LoRA adapter]. Hugging Face. | |
| ## Glossary | |
| - **CVE:** Common Vulnerabilities and Exposures identifier | |
| - **CWE:** Common Weakness Enumeration label | |
| - **LoRA:** Low-Rank Adaptation, a parameter-efficient fine-tuning method | |
| - **ROUGE-L:** Longest-common-subsequence overlap metric for generated text | |
| - **Macro-F1:** Class-balanced F1 score across labels | |
| ### Framework versions | |
| - PEFT 0.19.1 |