VeriPort: Automated and Verified Patch Backporting at Scale

📅 2026-06-21
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the critical challenge that security patches for open-source software are typically released only for the latest versions, leaving older versions vulnerable and difficult to remediate. The authors propose the first end-to-end agent system that integrates program analysis, formal verification, and automated testing to automatically backport security patches across all affected historical versions at scale. Their approach not only generates verified patches that provably eliminate vulnerabilities while preserving original functionality but also constructs verifiable evidence chains to support correctness claims. Notably, it enables the first verifiable, full-version-spectrum patch backporting, capable of identifying mislabeled or omitted vulnerable versions. Evaluated on BackportBench, the method successfully completes 95.3% of backporting tasks—outperforming the previous state of the art by 22.7 percentage points—and produces over 5,000 verified patches for 169 high-severity CVEs, leading to corrections in 23 official security advisories.
📝 Abstract
One of the key challenges for securing the software supply chain is addressing known vulnerabilities in third-party open-source dependencies. Security patches are frequently only available for the latest version of a dependency, leaving developers with the choice of either upgrading to the latest version (risking breaking changes) or manually backporting the security fix. Prior work backports to a single version that must be specified in advance and does not produce sufficient evidence to demonstrate that their patches block exploitation and preserve functionality. In this paper, we present VeriPort, an end-to-end agentic system that scalably backports a patch for a given vulnerability advisory to every affected version of the package. For each backport, VeriPort builds a chain of evidence to confirm that the patch blocks exploitation and preserves intended behavior. VeriPort reliably resolves 95.3% of 128 backporting tasks in BackportBench, outperforming the best existing solution (Claude Code) by 22.7 percentage points. We further deployed VeriPort on 169 high- and critical-severity CVEs and have generated over 5,000 verified backported patches. Moreover, VeriPort's value extends beyond simply backporting patches. It uncovered 2,100 versions incorrectly reported as affected and 127 previously unidentified vulnerable versions across 92 advisories, and 23 advisories have since been corrected upstream by removing 387 versions and adding 81.
Problem

Research questions and friction points this paper is trying to address.

patch backporting
software supply chain security
vulnerability remediation
open-source dependencies
CVE
Innovation

Methods, ideas, or system contributions that make the work stand out.

automated backporting
verified patching
software supply chain security
vulnerability remediation
agentic system
🔎 Similar Papers
No similar papers found.