--- base_model: fdtn-ai/Foundation-Sec-8B-Instruct library_name: peft pipeline_tag: text-generation tags: - base_model:adapter:fdtn-ai/Foundation-Sec-8B-Instruct - lora - transformers - cybersecurity - vulnerability-remediation - cve --- # Model Card for Model ID LoRA adapter for `fdtn-ai/Foundation-Sec-8B-Instruct` tuned for structured CVE remediation output. The model is designed to take CVE evidence and return a fixed seven-field JSON object containing severity, affected component, root cause, and remediation guidance. ## Model Details ### Model Description This model is a parameter-efficient fine-tuning adapter built on top of `fdtn-ai/Foundation-Sec-8B-Instruct`. It is intended for structured vulnerability remediation assistance rather than open-ended chat. Given CVE evidence such as CVE ID, description, CVSS score, CWE, and affected component context, it generates a JSON response with a fixed schema: - `cve_id` - `severity` - `affected_component` - `technical_root_cause` - `recommended_fix` - `developer_remediation_steps` - `verification_steps` The adapter was evaluated in a Colab-based external benchmark on 100 CVE examples and showed strong schema adherence and high exact-match performance on most structured fields. - **Developed by:** Ramitha Iddamalgoda - **Funded by [optional]:** Self-directed - **Shared by [optional]:** Ramitha Iddamalgoda - **Model type:** LoRA adapter for causal language modeling - **Language(s) (NLP):** English - **License:** Apache 2.0 - **Finetuned from model [optional]:** `fdtn-ai/Foundation-Sec-8B-Instruct` ### Model Sources [optional] - **Paper [optional]:** Not applicable - **Demo [optional]:** Not available ## Uses ### Direct Use This adapter is intended for structured CVE remediation tasks where the input contains vulnerability evidence and the desired output is a constrained JSON object. Likely uses include: - vulnerability triage experiments - structured remediation drafting - evaluation workflows for CVE understanding - prototype security assistant pipelines ### Downstream Use This adapter can be used inside larger systems that: - collect CVE descriptions from vulnerability feeds - normalize vulnerability information into a fixed schema - generate remediation suggestions for analyst review - compare structured output quality across model variants ### Out-of-Scope Use This model should not be used as: - a fully autonomous security remediation engine - a guaranteed-safe patch recommendation system - a replacement for expert review in production security operations - a general-purpose cybersecurity assistant outside its structured CVE task ## Bias, Risks, and Limitations This model inherits limitations from the base model and from its fine-tuning data. It may produce incomplete, incorrect, outdated, or oversimplified remediation guidance. Although it performs well on the reported benchmark, the benchmark is small and not a definitive production evaluation. ### Recommendations Use this model as an assistive tool, not an authoritative source. All outputs should be reviewed by a human with security context before operational use. When reporting results, describe them as an initial external benchmark rather than a final research-grade evaluation. ## How to Get Started with the Model Use the code below to get started with the model. ```python from transformers import AutoModelForCausalLM, AutoTokenizer from peft import PeftModel base_model = "fdtn-ai/Foundation-Sec-8B-Instruct" adapter_repo = "your-username/secfix-cve-remediation-lora" tokenizer = AutoTokenizer.from_pretrained(adapter_repo) model = AutoModelForCausalLM.from_pretrained(base_model, device_map="auto") model = PeftModel.from_pretrained(model, adapter_repo) model.eval() ``` Example input format: ``` CVE ID: CVE-2024-11773 Description: SQL injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements. CVSS Score: 9.8 CWE: CWE-89 Affected Component: Ivanti - Cloud Services Application ``` Expected output schema: ``` { "cve_id": "", "severity": "", "affected_component": "", "technical_root_cause": "", "recommended_fix": "", "developer_remediation_steps": "", "verification_steps": "" } ``` ## Training Details ### Training Data The adapter was trained for structured CVE remediation tasks using public CVE-oriented datasets prepared into JSONL chat-style training rows. The broader project used public CVE records with descriptions, CVSS-derived severity information, CWE information where available, and remediation-oriented text derived from source evidence. Datasets considered in the project included: - AlicanKiraz0/All-CVE-Records-Training-Dataset - iamthierno/cvedataset.jsonl The final task format used a system prompt plus a user message containing CVE evidence, with the assistant target being a structured JSON object. ### Training Procedure The model was fine-tuned as a LoRA adapter over fdtn-ai/Foundation-Sec-8B-Instruct for causal language modeling. #### Training Hyperparameters - **Training regime:** bf16 when supported, otherwise fp32 - **LoRA rank:** 16 - **LoRA alpha:** 32 - **LoRA dropout:** 0.1 - **Target modules:** `q_proj`, `k_proj`, `v_proj`, `o_proj` - **Epochs:** 2 - **Max sequence length:** 2048 - **Learning rate:** 2e-5 - **Weight decay:** 0.05 - **Gradient accumulation steps:** 4 - **Effective batch size:** 16 - **Gradient checkpointing:** enabled #### Speeds, Sizes, Times The adapter artifact is much smaller than the full base model because only LoRA parameters are stored. Evaluation and inference in Colab were performed using 4-bit loading for practical memory usage. ## Evaluation ### Testing Data, Factors & Metrics #### Testing Data The published benchmark was run on 200 examples sampled from: - `AlicanKiraz0/All-CVE-Records-Training-Dataset` The reported sample used a balanced severity mix: - 25 Critical - 25 High - 25 Medium - 25 Low #### Factors The evaluation focuses on: - structured JSON validity - exact-match correctness on normalized fields - token overlap on short text spans - overlap-based quality on longer remediation text #### Metrics The evaluation used: - JSON validity rate - required key set match rate - field completeness - exact match for `cve_id` - exact match and Macro-F1 for `severity` - exact match and Token-F1 for `affected_component` - exact match, Token-F1, and CWE Macro-F1 for `technical_root_cause` - ROUGE-L for: - `recommended_fix` - `developer_remediation_steps` - `verification_steps` BERTScore was not computed in the published run. ### Results Published benchmark results: - JSON validity: `0.9400` - Required key match: `0.9400` - Field completeness: `0.9400` - CVE ID exact match: `0.9400` - Severity exact match: `0.9400` - Severity Macro-F1: `0.7748` - Affected component exact match: `0.9400` - Affected component Token-F1: `0.9400` - Technical root cause exact match: `0.9400` - Technical root cause Token-F1: `0.9400` - Technical root cause CWE Macro-F1: `0.9062` - Recommended fix ROUGE-L: `0.9367` - Developer remediation ROUGE-L: `0.9228` - Verification steps ROUGE-L: `0.9400` #### Summary On the published 100-example Colab benchmark, the adapter showed strong schema adherence and high exact-match performance across most structured fields. The weakest reported metric is severity Macro-F1, which suggests that the remaining errors are concentrated in a subset of severity classes rather than evenly distributed. ## Technical Specifications [optional] ### Model Architecture and Objective [More Information Needed] ### Compute Infrastructure Training used NVIDIA MI300X VRAM and Google Colab for testing. #### Hardware - NVIDIA MI300X VRAM for training - Google Colab T4 GPU for evaluation #### Software - Transformers - PEFT - PyTorch - Hugging Face Hub - rouge-score - scikit-learn ## Citation [optional] **BibTeX:** ```bibtex @misc{secfix_lora_adapter, title={SecFix CVE Remediation LoRA Adapter}, author={Ramitha}, year={2026}, howpublished={Hugging Face model repository} } ``` **APA:** Iddamalgoda, I. H. R. P. (2026). *SecFix CVE Remediation LoRA Adapter* [LoRA adapter]. Hugging Face. ## Glossary - **CVE:** Common Vulnerabilities and Exposures identifier - **CWE:** Common Weakness Enumeration label - **LoRA:** Low-Rank Adaptation, a parameter-efficient fine-tuning method - **ROUGE-L:** Longest-common-subsequence overlap metric for generated text - **Macro-F1:** Class-balanced F1 score across labels ### Framework versions - PEFT 0.19.1