The Need
Open source software is foundational to modern development, yet it introduces significant security risks due to outdated dependencies and inaccurate vulnerability advisories. Public databases often fail to identify all affected versions of software, leaving organizations exposed. With vulnerabilities sometimes lying dormant for years, enterprises urgently need a precise, scalable solution to assess the true impact of newly discovered threats across their software ecosystems.

The Technology
VerDiff is a novel software analysis tool that automatically identifies all versions of a program affected by a known vulnerability. Starting from a single known exploit, VerDiff combines dynamic analysis, taint tracking, and isomorphic subgraph matching with a proprietary signature generation and matching technique. This integrated approach enables VerDiff to deliver unmatched accuracy and speed, identifying hundreds of advisory errors in hours using only standard computing resources.

Commercial Applications
• Software supply chain security platforms
• Vulnerability management and compliance tools
• DevSecOps and CI/CD pipeline integrations
• Open-source software auditing services
• Threat intelligence and incident response platforms

Benefits/Advantages
• High Accuracy: Identifies up to 32% more affected versions than official CVE advisories.
• Scalable: Analyzes hundreds of versions in under five hours (average 25 seconds per version).
• Patch-Independent: Operates without requiring a patch.
• Versatile: Supports a wide range of vulnerability types and programming languages (e.g., C/C++).
• Automated: Reduces manual triage and expert intervention.