arXiv: ARVO: Atlas of Reproducible Vulnerabilities for Open-Source Software

This publication introduces the ARVO framework, a comprehensive atlas cataloguing reproducible vulnerabilities in open-source software components. It systematically documents known security flaws with verified exploitability, providing a structured dataset that can be used to test and validate the robustness of AI systems relying on open-source libraries. The work is particularly relevant under the AI Safety framework, as it directly addresses the need for transparent, verifiable security baselines in software supply chains.

The primary affected organizations are those developing, deploying, or auditing AI systems that incorporate open-source dependencies, including technology firms, financial services, healthcare providers, and any sector subject to EU AI Act obligations. Compliance teams in these organizations must now consider whether their software bill of materials includes components listed in the ARVO dataset, as unpatched vulnerabilities could constitute a systemic safety risk under emerging regulatory standards.

Compliance teams should immediately review their current vulnerability management processes against the ARVO dataset to identify any gaps in coverage. They should integrate this atlas into their continuous monitoring and risk assessment workflows, particularly for high-risk AI systems. Additionally, teams should document how they are using or not using this resource in their compliance reporting, as regulators may expect proactive use of publicly available vulnerability repositories to demonstrate due diligence.