Sep1 '17

with Zhe Yu, NC State


The goal of HARMLESS is to aid software engineers to efficiently reduce software vulnerabilities via active learning.


Society needs more secure software. But the subject matter experts in software security are in short supply. Hence, it is vital to make the most of their limited time.


  • Firstly, by integrating human and vulnerability prediction model (VPM) in an active learning environment, HARMLESS keeps refining the VPM based on human decisions. This allows HARMLESS to find vulnerabilities with least amount of code inspected by humans (least human effort) without any historical vulnerability data (before a software’s first release).
  • Secondly, by estimating the total number of vulnerabilities in a software project, HARMLESS guides human to stop the inspection at a desired recall (percentage of vulnerabilities found).
  • Thirdly, HARMLESS identifies and corrects human errors with least redundant inspection (source code files inspected multiple times by different humans).