Instructions to use ramitha2002/SecFix-CVE-Remediation with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- PEFT
How to use ramitha2002/SecFix-CVE-Remediation with PEFT:
from peft import PeftModel from transformers import AutoModelForCausalLM base_model = AutoModelForCausalLM.from_pretrained("fdtn-ai/Foundation-Sec-8B-Instruct") model = PeftModel.from_pretrained(base_model, "ramitha2002/SecFix-CVE-Remediation") - Transformers
How to use ramitha2002/SecFix-CVE-Remediation with Transformers:
# Use a pipeline as a high-level helper from transformers import pipeline pipe = pipeline("text-generation", model="ramitha2002/SecFix-CVE-Remediation") messages = [ {"role": "user", "content": "Who are you?"}, ] pipe(messages)# Load model directly from transformers import AutoModel model = AutoModel.from_pretrained("ramitha2002/SecFix-CVE-Remediation", dtype="auto") - Notebooks
- Google Colab
- Kaggle
- Local Apps Settings
- vLLM
How to use ramitha2002/SecFix-CVE-Remediation with vLLM:
Install from pip and serve model
# Install vLLM from pip: pip install vllm # Start the vLLM server: vllm serve "ramitha2002/SecFix-CVE-Remediation" # Call the server using curl (OpenAI-compatible API): curl -X POST "http://localhost:8000/v1/chat/completions" \ -H "Content-Type: application/json" \ --data '{ "model": "ramitha2002/SecFix-CVE-Remediation", "messages": [ { "role": "user", "content": "What is the capital of France?" } ] }'Use Docker
docker model run hf.co/ramitha2002/SecFix-CVE-Remediation
- SGLang
How to use ramitha2002/SecFix-CVE-Remediation with SGLang:
Install from pip and serve model
# Install SGLang from pip: pip install sglang # Start the SGLang server: python3 -m sglang.launch_server \ --model-path "ramitha2002/SecFix-CVE-Remediation" \ --host 0.0.0.0 \ --port 30000 # Call the server using curl (OpenAI-compatible API): curl -X POST "http://localhost:30000/v1/chat/completions" \ -H "Content-Type: application/json" \ --data '{ "model": "ramitha2002/SecFix-CVE-Remediation", "messages": [ { "role": "user", "content": "What is the capital of France?" } ] }'Use Docker images
docker run --gpus all \ --shm-size 32g \ -p 30000:30000 \ -v ~/.cache/huggingface:/root/.cache/huggingface \ --env "HF_TOKEN=<secret>" \ --ipc=host \ lmsysorg/sglang:latest \ python3 -m sglang.launch_server \ --model-path "ramitha2002/SecFix-CVE-Remediation" \ --host 0.0.0.0 \ --port 30000 # Call the server using curl (OpenAI-compatible API): curl -X POST "http://localhost:30000/v1/chat/completions" \ -H "Content-Type: application/json" \ --data '{ "model": "ramitha2002/SecFix-CVE-Remediation", "messages": [ { "role": "user", "content": "What is the capital of France?" } ] }' - Docker Model Runner
How to use ramitha2002/SecFix-CVE-Remediation with Docker Model Runner:
docker model run hf.co/ramitha2002/SecFix-CVE-Remediation
Model Card for Model ID
LoRA adapter for fdtn-ai/Foundation-Sec-8B-Instruct tuned for structured CVE remediation output. The model is designed to take CVE evidence and return a fixed seven-field JSON object containing severity, affected component, root cause, and remediation guidance.
Model Details
Model Description
This model is a parameter-efficient fine-tuning adapter built on top of fdtn-ai/Foundation-Sec-8B-Instruct. It is intended for structured vulnerability remediation assistance rather than open-ended chat. Given CVE evidence such as CVE ID, description, CVSS score, CWE, and affected component context, it generates a JSON response with a fixed schema:
cve_idseverityaffected_componenttechnical_root_causerecommended_fixdeveloper_remediation_stepsverification_steps
The adapter was evaluated in a Colab-based external benchmark on 100 CVE examples and showed strong schema adherence and high exact-match performance on most structured fields.
- Developed by: Ramitha Iddamalgoda
- Funded by [optional]: Self-directed
- Shared by [optional]: Ramitha Iddamalgoda
- Model type: LoRA adapter for causal language modeling
- Language(s) (NLP): English
- License: Apache 2.0
- Finetuned from model [optional]:
fdtn-ai/Foundation-Sec-8B-Instruct
Model Sources [optional]
- Paper [optional]: Not applicable
- Demo [optional]: Not available
Uses
Direct Use
This adapter is intended for structured CVE remediation tasks where the input contains vulnerability evidence and the desired output is a constrained JSON object. Likely uses include:
- vulnerability triage experiments
- structured remediation drafting
- evaluation workflows for CVE understanding
- prototype security assistant pipelines
Downstream Use
This adapter can be used inside larger systems that:
- collect CVE descriptions from vulnerability feeds
- normalize vulnerability information into a fixed schema
- generate remediation suggestions for analyst review
- compare structured output quality across model variants
Out-of-Scope Use
This model should not be used as:
- a fully autonomous security remediation engine
- a guaranteed-safe patch recommendation system
- a replacement for expert review in production security operations
- a general-purpose cybersecurity assistant outside its structured CVE task
Bias, Risks, and Limitations
This model inherits limitations from the base model and from its fine-tuning data. It may produce incomplete, incorrect, outdated, or oversimplified remediation guidance. Although it performs well on the reported benchmark, the benchmark is small and not a definitive production evaluation.
Recommendations
Use this model as an assistive tool, not an authoritative source. All outputs should be reviewed by a human with security context before operational use. When reporting results, describe them as an initial external benchmark rather than a final research-grade evaluation.
How to Get Started with the Model
Use the code below to get started with the model.
from transformers import AutoModelForCausalLM, AutoTokenizer
from peft import PeftModel
base_model = "fdtn-ai/Foundation-Sec-8B-Instruct"
adapter_repo = "your-username/secfix-cve-remediation-lora"
tokenizer = AutoTokenizer.from_pretrained(adapter_repo)
model = AutoModelForCausalLM.from_pretrained(base_model, device_map="auto")
model = PeftModel.from_pretrained(model, adapter_repo)
model.eval()
Example input format:
CVE ID: CVE-2024-11773
Description: SQL injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.
CVSS Score: 9.8
CWE: CWE-89
Affected Component: Ivanti - Cloud Services Application
Expected output schema:
{
"cve_id": "",
"severity": "",
"affected_component": "",
"technical_root_cause": "",
"recommended_fix": "",
"developer_remediation_steps": "",
"verification_steps": ""
}
Training Details
Training Data
The adapter was trained for structured CVE remediation tasks using public CVE-oriented datasets prepared into JSONL chat-style training rows. The broader project used public CVE records with descriptions, CVSS-derived severity information, CWE information where available, and remediation-oriented text derived from source evidence.
Datasets considered in the project included:
- AlicanKiraz0/All-CVE-Records-Training-Dataset
- iamthierno/cvedataset.jsonl
The final task format used a system prompt plus a user message containing CVE evidence, with the assistant target being a structured JSON object.
Training Procedure
The model was fine-tuned as a LoRA adapter over fdtn-ai/Foundation-Sec-8B-Instruct for causal language modeling.
Training Hyperparameters
- Training regime: bf16 when supported, otherwise fp32
- LoRA rank: 16
- LoRA alpha: 32
- LoRA dropout: 0.1
- Target modules:
q_proj,k_proj,v_proj,o_proj - Epochs: 2
- Max sequence length: 2048
- Learning rate: 2e-5
- Weight decay: 0.05
- Gradient accumulation steps: 4
- Effective batch size: 16
- Gradient checkpointing: enabled
Speeds, Sizes, Times
The adapter artifact is much smaller than the full base model because only LoRA parameters are stored. Evaluation and inference in Colab were performed using 4-bit loading for practical memory usage.
Evaluation
Testing Data, Factors & Metrics
Testing Data
The published benchmark was run on 200 examples sampled from:
AlicanKiraz0/All-CVE-Records-Training-Dataset
The reported sample used a balanced severity mix:
- 25 Critical
- 25 High
- 25 Medium
- 25 Low
Factors
The evaluation focuses on:
- structured JSON validity
- exact-match correctness on normalized fields
- token overlap on short text spans
- overlap-based quality on longer remediation text
Metrics
The evaluation used:
- JSON validity rate
- required key set match rate
- field completeness
- exact match for
cve_id - exact match and Macro-F1 for
severity - exact match and Token-F1 for
affected_component - exact match, Token-F1, and CWE Macro-F1 for
technical_root_cause - ROUGE-L for:
recommended_fixdeveloper_remediation_stepsverification_steps
BERTScore was not computed in the published run.
Results
Published benchmark results:
- JSON validity:
0.9400 - Required key match:
0.9400 - Field completeness:
0.9400 - CVE ID exact match:
0.9400 - Severity exact match:
0.9400 - Severity Macro-F1:
0.7748 - Affected component exact match:
0.9400 - Affected component Token-F1:
0.9400 - Technical root cause exact match:
0.9400 - Technical root cause Token-F1:
0.9400 - Technical root cause CWE Macro-F1:
0.9062 - Recommended fix ROUGE-L:
0.9367 - Developer remediation ROUGE-L:
0.9228 - Verification steps ROUGE-L:
0.9400
Summary
On the published 100-example Colab benchmark, the adapter showed strong schema adherence and high exact-match performance across most structured fields. The weakest reported metric is severity Macro-F1, which suggests that the remaining errors are concentrated in a subset of severity classes rather than evenly distributed.
Technical Specifications [optional]
Model Architecture and Objective
[More Information Needed]
Compute Infrastructure
Training used NVIDIA MI300X VRAM and Google Colab for testing.
Hardware
- NVIDIA MI300X VRAM for training
- Google Colab T4 GPU for evaluation
Software
- Transformers
- PEFT
- PyTorch
- Hugging Face Hub
- rouge-score
- scikit-learn
Citation [optional]
BibTeX:
@misc{secfix_lora_adapter,
title={SecFix CVE Remediation LoRA Adapter},
author={Ramitha},
year={2026},
howpublished={Hugging Face model repository}
}
APA:
Iddamalgoda, I. H. R. P. (2026). SecFix CVE Remediation LoRA Adapter [LoRA adapter]. Hugging Face.
Glossary
- CVE: Common Vulnerabilities and Exposures identifier
- CWE: Common Weakness Enumeration label
- LoRA: Low-Rank Adaptation, a parameter-efficient fine-tuning method
- ROUGE-L: Longest-common-subsequence overlap metric for generated text
- Macro-F1: Class-balanced F1 score across labels
Framework versions
- PEFT 0.19.1
- Downloads last month
- 1
Model tree for ramitha2002/SecFix-CVE-Remediation
Base model
meta-llama/Llama-3.1-8B