VULPO: Context-Aware Vulnerability Detection via On-Policy LLM Optimization

Researchers introduce VULPO, an on-policy LLM optimization framework for vulnerability detection that achieves 203% improvement over baseline models by incorporating context-aware reasoning and multidimensional reward signals. The approach combines a new ContextVul dataset with specialized fine-tuning to create more effective security analysis tools that reason through complex code interactions.

VULPO represents a meaningful advancement in applying large language models to software security, addressing a critical gap between theoretical LLM capabilities and practical vulnerability detection needs. The research demonstrates that existing vulnerability detection approaches fail because they lack sufficient contextual information and struggle to model the reasoning process required to identify security flaws in real repositories. This limitation has significant implications for software security, as undetected vulnerabilities in production code remain a leading cause of data breaches and exploits.

The technical innovation centers on two key contributions: the ContextVul dataset enriches existing vulnerability benchmarks with repository-level context and reasoning traces that better reflect real-world complexity, while the VULPO framework uses multidimensional rewards to optimize not just vulnerability identification but also proper localization and causal reasoning quality. This represents an evolution beyond outcome-centric supervision toward process-oriented training that teaches models how to reason about security issues.

The performance metrics carry practical weight—a 203% relative improvement over Qwen3-4B and competitive performance against DeepSeek-V3.1 suggests that specialized security reasoning models can match or exceed significantly larger general-purpose models. For developers and organizations, this means more efficient vulnerability detection tools that require fewer computational resources while maintaining higher accuracy. The emergence of specialized vulnerability reasoning LLMs indicates the security tooling landscape is maturing beyond generic model applications toward domain-specific optimization.

• →VULPO achieves 203% improvement in vulnerability detection performance by incorporating repository-level context and causal reasoning supervision.
• →The ContextVul dataset addresses the critical gap of missing contextual information in existing vulnerability benchmarks.
• →Multidimensional rewards targeting identification, localization, and reasoning quality prevent reward hacking and improve RL effectiveness.
• →VULPO-4B matches performance of 150% larger models, suggesting specialized security LLMs can achieve efficiency gains.
• →This advancement has direct implications for software security practices and developer tooling in production environments.