
Trust Issues: Can We Actually Validate Automated Vulnerability Repair?
You cannot tell an automated vulnerability repair worked unless you prove two things at once: the vulnerability is genuinely closed, and the program still works. Here is why the public AVR benchmarks cannot measure that, and how we built one that can.