How much fake LLM credit can our chart absorb?
The LLM-credit tracker on this site sits on two signals. Auditing where those signals actually live tells you how poisonable the chart is. Last updated: 02 June 2026 14:43 UTC
The site publishes an LLM-credit tracker — the running share of CVEs where the discoverer is publicly credited to a large language model. The pipeline reads two surfaces. NVD’s English descriptions, and the text of vendor advisories that the references on the CVE point at. If you wanted to fake LLM credit to make your company look like a fast AI adopter, you would presumably write the credit into one of those two places. So I ran an audit. Where does the signal actually sit today, and how much synthetic credit would it take to break the reading?
The confusion matrix
The mythos-credited corpus today is 335 CVEs. For each one I joined the NVD description and the cached vendor advisory text and ran a permissive LLM-mention regex against both surfaces. Four cells: NVD only, advisory only, both, neither.
The shape of this matrix is the headline. Zero CVEs hit on both surfaces. The advisory text alone accounts for 54 percent of the corpus. NVD’s description carries the credit in two CVEs. The remaining 45 percent get into the corpus through neither surface mentioning an LLM — the upstream detector caught the credit from URL patterns on the CVE’s reference list (anthropic.com, glasswing.ai, the Big Sleep blog, etc.).
What that means for poisoning resistance
Three different attack surfaces, three different costs to abuse.
NVD-description poisoning is the hardest path. The CVE Numbering Authority writes the descriptions; even well-resourced vendors do not get to put discoverer-credit language in there reliably. Today the surface accounts for two data points across 335. Pumping it would require either convincing CNAs to adopt new credit conventions or trying to influence individual analysts. Slow and visible.
Advisory-text poisoning is the cheapest path. A vendor controls the advisory it publishes. Adding “discovered with LLM assistance” or “identified via Codex-driven static analysis” to a CVE’s advisory takes seconds. Today this surface carries 54 percent of the signal — if vendors decided to start using LLM-credit language as a brand-positioning lever, the numerator on the tracker would balloon while nothing about the actual research practice changed.
URL-heuristic credits are robust. The 45 percent of the corpus we catch via URL patterns require an actual upstream artifact — a research blog post, an organisational reference page, a publication URL. Standing one of those up costs more than appending a sentence to your own advisory.
How to read the chart going forward
The honest read is that the tracker reflects two signals of very different quality. The URL-heuristic subset is solid. The advisory-text subset is poisonable. If you see the share rise and want to know whether the underlying research practice actually changed, the test to run is: does the URL-heuristic subset rise in lockstep, or does the rise come entirely from the advisory-text subset? If it’s the second, treat the move as marketing.
I expect the audit to drift over time. CNAs may adopt credit-language conventions and pull NVD descriptions into the mix. New vendor brand teams may start sprinkling LLM credits into routine advisories. I’ll re-run this audit periodically and publish the confusion matrix as it evolves so the chart’s readers know which surface is doing the work on any given day.