ARVO: Atlas of Reproducible Vulnerabilities for Open-Source Software

Researchers introduce ARVO, a large-scale dataset of over 6,100 reproducible vulnerabilities from open-source software projects, addressing a critical gap in security research by prioritizing reproducibility alongside scale and diversity. The dataset achieves 81% successful vulnerability reproduction and 89.4% patch identification accuracy, enabling automated analysis and direct vulnerability interaction capabilities absent in existing datasets.

The ARVO dataset represents a significant methodological advancement in software security research by solving a long-standing tension between reproducibility, scale, and diversity in vulnerability datasets. Historically, security researchers have sacrificed reproducibility to achieve larger, more diverse datasets, limiting the insights that could be extracted and validated. This work inverts that priority, demonstrating that reproducibility at scale is achievable through systematic identification and resolution of reproduction obstacles.

The security research community has long struggled with dataset limitations. Existing vulnerability databases often lack the contextual information, environment specifications, and patch metadata necessary to reliably recreate bugs across different versions and configurations. ARVO addresses this by providing each vulnerability in a consistently rebuilable form, fundamentally changing how researchers can work with historical bug data. The automatic patch identification capability is particularly valuable, as manually linking vulnerabilities to their fixes remains labor-intensive and error-prone.

For software development organizations and security practitioners, ARVO's high reproduction success rate (81%) and patch accuracy (89.4%) create immediate practical applications. Developers can use the dataset to understand real-world attack vectors, test defensive measures, and validate patch effectiveness. This accessibility benefits both open-source maintainers and downstream security tool builders who rely on quality training data.

Looking ahead, ARVO's methodology could establish new standards for vulnerability dataset construction across the industry. As automated security analysis tools become more sophisticated, the availability of reliably reproducible vulnerabilities at scale will accelerate both vulnerability discovery and mitigation research. The dataset's influence on upstream development practices suggests organizations will increasingly adopt reproducibility-first approaches to bug tracking and disclosure.

• →ARVO dataset contains 6,100+ real-world vulnerabilities from 311 open-source projects with 81% reproducibility rate
• →Reproducible vulnerabilities enable automatic patch identification with 89.4% accuracy, a capability absent in prior large-scale datasets
• →The dataset resolves the historical trade-off between reproducibility and scale by systematically addressing major reproduction obstacles
• →Direct vulnerability interaction and consistent rebuilding across versions support advanced automated security research and validation
• →ARVO's reproducibility-first approach establishes new benchmarks for vulnerability dataset construction in security research