This work presents the first systematic investigation of membership inference attacks (MIAs) against vulnerability prediction (VP) models, exposing severe privacy leakage risks in code analysis: adversaries can accurately infer training-sample membership solely from model outputs—particularly logits and loss values. To mitigate this threat, we propose NMID, a lightweight noise-based defense module that jointly applies output masking and calibrated Gaussian noise injection, effective under both black-box and gray-box attack settings. Extensive experiments on LSTM, BiGRU, and CodeBERT architectures demonstrate that NMID reduces MIA AUC from ≈1.0 to below 0.65, substantially degrading attack success rates, while preserving near-original vulnerability detection performance. This study bridges a critical gap in privacy risk assessment for code security models and delivers a practical, low-overhead defense mechanism with minimal computational overhead and no architectural modification required.

Neural models for vulnerability prediction (VP) have achieved impressive performance by learning from large-scale code repositories. However, their susceptibility to Membership Inference Attacks (MIAs), where adversaries aim to infer whether a particular code sample was used during training, poses serious privacy concerns. While MIA has been widely investigated in NLP and vision domains, its effects on security-critical code analysis tasks remain underexplored. In this work, we conduct the first comprehensive analysis of MIA on VP models, evaluating the attack success across various architectures (LSTM, BiGRU, and CodeBERT) and feature combinations, including embeddings, logits, loss, and confidence. Our threat model aligns with black-box and gray-box settings where prediction outputs are observable, allowing adversaries to infer membership by analyzing output discrepancies between training and non-training samples. The empirical findings reveal that logits and loss are the most informative and vulnerable outputs for membership leakage. Motivated by these observations, we propose a Noise-based Membership Inference Defense (NMID), which is a lightweight defense module that applies output masking and Gaussian noise injection to disrupt adversarial inference. Extensive experiments demonstrate that NMID significantly reduces MIA effectiveness, lowering the attack AUC from nearly 1.0 to below 0.65, while preserving the predictive utility of VP models. Our study highlights critical privacy risks in code analysis and offers actionable defense strategies for securing AI-powered software systems.