Skip to main content

CRSBench Results

How today's bug-finding and bug-fixing CRSs perform on CRSBench.

3Trials per task
$30LLM budget / trial
8h / 2hFind / fix time limit
245KCPU-hours
$31KTotal eval spend

Bug-Finding Overlap Across CRSs

We compare bug-finding CRSs on 117 benchmarks (304 CPVs): a fuzzer-only baseline running each project's own fuzzer, an LLM agent (Claude Code, Opus 4.6) with basic bug-finding instructions, and, on the hardest subset, a hybrid CRS running both concurrently with a shared corpus. Each column below is one exclusive overlap class: which configurations found exactly those CPVs.

Across all 304 CPVs, the fuzzer and the LLM agent largely agree on the easy bugs and diverge on the rest: 74 of the fuzzer's 80 CPVs (93%) are also found by the agent, but the agent reaches 170 CPVs the fuzzer never triggers, and the fuzzer still finds 6 CPVs the agent misses. Neither approach subsumes the other.

Fuzzer80LLM agent24417074654

Per-configuration summary

CRSSolved CPVsTrial successTime to triggerLLM $/trial
Fuzzer only crs-given-fuzzer
26.3% (80/304)
24.6% (227/921)1,668s-
LLM agent crs-claude-code (Opus 4.6)
80.3% (244/304)
62.9% (579/921)1,981s$17.07

End-to-End Results

Five LLM agent-based CRSs run the full pipeline (find a vulnerability, then fix it) on a partial AFC subset of 51 vulnerabilities, using identical prompts and changing only the vendor-provided coding-agent harness. The finding stage is the main differentiator: bug-finding success spans 45–92% while conditional fix rates cluster at 70–94%, and finding dominates the LLM cost ($1.09–$10.91 per trial vs. $0.12–$1.19 for fixing).

020406080100$0$2$4$6$8$10E2E LLM spend per trial (USD)E2E success rate (%)Claude Code (Opus 4.6)Opencode (GLM-5.1)Gemini CLI (Gemini 3 Flash)Codex (GPT-5.4-mini)Claude Code (Haiku 4.5)
CRS
Claude Code Opus 4.6
92% (47/51)
$10.91
89% (42/47)
$1.19
82% (42/51)
$9.52
Opencode GLM-5.1
84% (43/51)
$2.11
81% (35/43)
$0.12
69% (35/51)
$1.73
Gemini CLI Gemini 3 Flash
61% (31/51)
$1.77
94% (29/31)
$0.35
57% (29/51)
$1.55
Codex GPT-5.4-mini
59% (30/51)
$1.26
93% (28/30)
$0.36
55% (28/51)
$1.15
Claude Code Haiku 4.5
45% (23/51)
$1.09
70% (16/23)
$0.42
31% (16/51)
$0.91

Success = vulnerabilities solved at least once across 3 trials on the 51-vulnerability AFC subset; cost = mean per-trial LLM spend. *Fix is conditional on the vulnerability being found first. Click a column header to sort.

Bug Fixing Across Agents

Three coding agents patch all benchmark vulnerabilities under two modes: delta, where the bug-introducing commit is supplied, and full, where the CRS must localize the fault in the whole project on its own. Every patch must reproduce none of the PoVs (including CRSBench's variant PoVs) and pass the project's functionality tests.

CRSDelta modeFull modeOverallTime/trialLLM $/trial
Claude Code Opus 4.6
88.3% (546/618)
82% (241/294)
86.3%607s$1.43
Codex GPT-5.4
88% (544/618)
85.7% (252/294)
87.3%589s$1.29
Gemini CLI Gemini 3.1 Pro
87.9% (543/618)
84% (247/294)
86.6%1,255s$0.89

Success rate by ground-truth patch structure

We bucket all 2,736 fixing trials by properties of the ground-truth patch: changed lines, files, hunks, and whether the top line of the crash stack trace matches the patched code. Success drops as patches grow or move away from the crash site, falling to 75–81% for patches with 3+ hunks, 14+ changed lines, or no match with the top line of the crash stack trace.

SuccessFunc. test failSecurity failNo patch / build fail

Changed lines

0-2
85%9%
85.0%
3-6
90%
89.7%
7-13
92%
92.1%
14+
75%10%12%
75.1%

Files changed

1
84%
84.2%
2
95%
95.0%
3+
86%11%
85.7%

Hunks

1
87%
86.5%
2
91%
90.9%
3+
79%14%
78.5%

Crash stack top line / patch match

line
85%
85.5%
function
90%
89.6%
file
88%
88.2%
no match
81%11%
80.8%