SYSTEM Cited by 1 source
Cloudflare Vulnerability Validation System¶
The Vulnerability Validation System (VVS) is Cloudflare's second-stage triage engine that receives findings from the VDH and other automated harnesses, triaging them through three jobs on a different model from the discovery harness to ensure adversarial cross-checking.
As of mid-2026, VVS holds 13,841 findings across 145 repos.
Architecture¶
| Stage | Role | Detail |
|---|---|---|
| Dedup | Identify duplicates and consolidate | Deterministic: inverted indexes over files, functions, trust boundaries, rare tokens → short candidate list. Probabilistic: agent reasons over the short list. Stable cross-run keys reopen existing records rather than spawning new ones. |
| Judgment | Production reachability + validation | Single agent builds context from MCP servers (wiki, Jira, git, config). Determines if the code path is reachable in prod. Validates bug still exists on latest main branch. Filters "exploitable now" from "real but latent" from "wrong component". |
| Fixing | Generate patches + run regression tests | Runs targeted test before and after. Requires a clean fail→pass flip on the target test. If post-patch test fails or downstream regressions detected, commit auto-blocked for human intervention. |
Key design decisions¶
- Different model from VDH: Model B judging Model A's output ensures findings are evaluated by entirely different logical weights — an unbiased adversarial third party (patterns/adversarial-cross-model-validation).
- O(N) deduplication: Deterministic inverted-index pre-filter keeps the model off the critical path (concepts/inverted-index-deduplication).
- Human-in-the-loop gate: The Fixer never merges code on its own — human review is the non-negotiable safeguard for change-management compliance (patterns/fail-pass-flip-gate).
- Contextual judgment over static CVSS: Production reachability determination replaces arbitrary CVSS-based remediation windows with actual risk management.
Operational numbers¶
- 13,841 total findings in system
- 5,442 deduplicated
- 1,154 routed as wrong-repo / low-risk
- 7,245 actionable findings sent to teams
- 5 min/bug average Fixer processing rate
Seen in¶
Related¶
- systems/cloudflare-vulnerability-discovery-harness — upstream discovery engine feeding VVS
- patterns/fail-pass-flip-gate — the automated patch verification primitive
- patterns/tiered-remediation-rollout — critical 5-day / latent 15-20-day deployment cadence