Software Vulnerability Management in the Era of Artificial Intelligence: An Industry Perspective

Software Vulnerability Management in the Era of Artificial Intelligence: An Industry Perspective M. Mehdi Kholoosi School of Computer Science and Information Technology Adelaide University Adelaide, Australia mehdi.kholoosi@adelaide.edu.au Triet Huynh Minh Le School of Computer Science and Information Technology Adelaide University Adelaide, Australia triet.h.le@adelaide.edu.au M. Ali Babar School of Computer Science and Information Technology Adelaide University & Elevexai Systems Adelaide, Australia ali.babar@adelaide.edu.au Abstract Artificial Intelligence (AI) has revolutionized software devel- opment, particularly by automating repetitive tasks and improv- ing developer productivity. While these advancements are well- documented, the use of AI-powered tools for Software Vulnerabil- ity Management (SVM), such as vulnerability detection and repair, remains underexplored in industry settings. To bridge this gap, our study aims to determine the extent of the adoption of AI-powered tools for SVM, identify barriers and facilitators to the use, and gather insights to help improve the tools to meet industry needs better. We conducted a survey study involving 60 practitioners from diverse industry sectors across 27 countries. The survey incorpo- rates both quantitative and qualitative questions to analyze the adoption trends, assess tool strengths, identify practical challenges, and uncover opportunities for improvement. Our findings indicate that AI-powered tools are used throughout the SVM life cycle, with 69% of users reporting satisfaction with their current use. Practi- tioners value these tools for their speed, coverage, and accessibility. However, concerns about false positives, missing context, and trust issues remain prevalent. We observe a socio-technical adoption pattern in which AI outputs are filtered through human oversight and organizational governance. To support safe and effective use of AI for SVM, we recommend improvements in explainability, con- textual awareness, integration workflows, and validation practices. We assert that these findings can offer practical guidance for practi- tioners, tool developers, and researchers seeking to enhance secure software development through the use of AI. CCS Concepts • Security and privacy →Vulnerability management; • Soft- ware and its engineering →Empirical software engineering. Keywords Software Vulnerability, Vulnerability Detection, Vulnerability Re- pair, Security Tools, Survey Study Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. ICSE ’26, Rio de Janeiro, Brazil © 2026 Copyright held by the owner/author(s). Publication rights licensed to ACM. ACM Reference Format: M. Mehdi Kholoosi, Triet Huynh Minh Le, and M. Ali Babar. 2026. Software Vulnerability Management in the Era of Artificial Intelligence: An Industry Perspective. In Proceedings of 2026 IEEE/ACM International Conference on Software Engineering (ICSE ’26). ACM, New York, NY, USA, 13 pages. 1 Introduction Software Vulnerabilities (SVs) are critical security issues that can result in cybercrime and substantial financial losses [55]. Beyond their immediate economic consequences, SVs can jeopardize data privacy and intellectual property, ultimately undermining an orga- nization’s overall security posture [5]. The number and complexity of SVs have steadily increased, posing significant risks to software systems [32, 40]. Despite these growing threats, many SVs remain unpatched for prolonged periods, with half taking over a year to resolve [25, 41]. Tackling these challenges requires innovative auto- mated techniques to alleviate the costly and time-consuming man- ual effort involved in managing SVs. Software Vulnerability Man- agement (SVM) involves a comprehensive set of processes aimed at improving the security of software systems through the systematic detection, assessment, repair, and disclosure of SVs [16, 40]. These phases are collectively referred to as the SVM life cycle [36, 58], and we use this definition throughout this paper. Recent studies have increasingly proposed Artificial Intelligence (AI)-powered tools to support the SVM life cycle. Among these, Deep Learning (DL) has emerged as a prominent trend, show- ing promising results for Software Engineering (SE) [39], includ- ing various SVM tasks. For instance, DL models have shown ef- fectiveness in detecting and assessing SVs in different applica- tion domains [9, 42, 50, 67]. Unlike traditional static

This content is AI-processed based on open access ArXiv data.