exploitintel/cve-cwe-qwen3-8b

Overview

exploitintel/cve-cwe-qwen3-8b is an 8 billion parameter model, fine-tuned from Qwen3-8B using QLoRA, designed to classify Common Vulnerabilities and Exposures (CVE) descriptions into Common Weakness Enumeration (CWE) IDs. Developed by exploitintel, this model is specifically trained to identify the CWEs associated with a given CVE description, even when the weakness is not explicitly named and requires inference.

Key Capabilities

• CVE to CWE Mapping: Accurately translates free-text CVE descriptions into one or more CWE IDs.
• Performance: Achieves an exact-match score of 0.676 and a Micro-F1 score of 0.702 on a held-out test set of 6,802 rows. For "easy" cases where the weakness is named, exact-match reaches 0.841.
• Robust Training: Trained on the exploitintel/cve-cwe-consensus dataset (69,386 rows), which ensures agreement between NVD and CNA labels and caps majority CWEs to improve learning of rare weaknesses.
• Deployment Flexibility: Available as a merged 16-bit model for direct use with transformers and includes a Q4_K_M GGUF for local runners like Ollama.

Good For

• Automated Vulnerability Triage: Assisting security analysts in quickly categorizing CVEs by their underlying weaknesses.
• Security Tooling Integration: Providing a programmatic way to enrich vulnerability data with standardized CWE classifications.
• Educational Purposes: Demonstrating the application of LLMs in cybersecurity for vulnerability analysis.

Limitations

• English-only: Processes only English CVE descriptions.
• Description-only: Does not utilize code, CVSS scores, or external references for classification.
• Validation Required: Outputs CWE IDs as text; validation against the official CWE list is recommended as it can occasionally emit malformed or non-existent IDs.
• Assistive Aid: Intended as a triage or assist aid, not an authoritative source for CWE assignment, requiring human review before acting on its predictions.