This study addresses the critical challenge of persistently unpatched or undisclosed vulnerabilities in open-source projects—referred to as PCVEs—which remain inadequately covered by existing detection tools due to their delayed exposure. To tackle this gap, the work proposes DeeptraVul, a novel framework that integrates multi-source development artifacts, including commit histories and issue reports, with code-level signals, and leverages large language models (LLMs) to generate contextual summaries for enhanced vulnerability identification. By constructing a multimodal detection pipeline, DeeptraVul significantly improves coverage over state-of-the-art approaches: empirical evaluation demonstrates a 14% increase in detection coverage across the full PCVE dataset and achieves up to 90% coverage on its dedicated PCVE subset, substantially outperforming both current SOTA tools and standalone LLM-based methods.

Timely resolution and disclosure of vulnerabilities are essential for maintaining the security of open-source software. However, many vulnerabilities remain unreported, unpatched, or undisclosed for extended periods, exposing users to prolonged security threats. While various vulnerability detection tools exist, they primarily focus on predicting or identifying known vulnerabilities, often failing to capture vulnerabilities that experience significant delays in resolution. In this study, we examine the vulnerability lifecycle by analyzing protracted vulnerabilities (PCVEs), which remain unresolved or undisclosed over long periods. We construct a dataset of PCVEs and conduct a qualitative analysis to uncover underlying causes of delay. To assess current automated solutions, we evaluate four state-of-the-art (SOTA) vulnerability detectors on our dataset. These tools detect only 1,059 out of 2,402 PCVEs, achieving approximately 44% coverage. To address this limitation, we propose DeeptraVul, an enhanced detection approach designed specifically for protracted cases. DeeptraVul integrates multiple development artifacts and code signals, supported by a Large Language Model (LLM)-based summarization component. For comparison, we also evaluate a standalone LLM. Our results show that DeeptraVul improves detection performance, achieving a 14% increase in coverage across all PCVEs and reaching 90% coverage on the DeeptraVul PCVE subset, outperforming existing SOTA detectors and standalone LLM based inference.