Negative-Days with Vulnerability Spoiler Alert: Three Months Later
Vulnerability Spoiler Alert is an LLM-based tool that monitors open-source git repositories for security patches before CVEs are published. The key insight is framing the problem as ‘does this commit patch a vulnerability?’ rather than ‘is this code vulnerable?’ — the former is tractable via single-turn API calls by leveraging commit message context, while the latter approaches an undecidable halting-problem analog. Over 3 months across 10 repos: 47 confirmed CVEs from 152 findings (41 false positives), with 35 CVEs detected an average of 2 days before public disclosure (max 27 days for Next.js CVE-2026-27979). The pipeline uses a tiered model approach (small model triage → large model analysis → async Copilot agent verification) to keep costs at ~$5/week, and decoupled human-in-the-loop triage to an async cron job after manual review proved unsustainable.