From Residual Faults to Zero-Day Software Vulnerabilities: A Characterization Study

November 7, 2025
Categories: Events, Seminar Series

Domenico Cotroneo

Department of Computer Science

UNC Charlotte

Nov 12 2025 11:30 WWH 335

Zero-day vulnerabilities and residual software faults share a common characteristic: both escape detection during development and testing, yet represent critical threats to software security and reliability. While residual faults remain hidden until triggered in the field, zero-day vulnerabilities are unknown to vendors and exploitable before patches are available. Existing research on vulnerability prediction has mainly focused on software metrics, machine learning, and, more recently, large language models, but has not established a clear relationship between residual faults and zero-day vulnerabilities. Moreover, most studies are limited by narrow datasets and simplistic metrics, overlooking the potential for broader characterizations. This talk investigates whether zero-day vulnerabilities can be understood as a special class of residual faults. We aim to extend current vulnerability prediction approaches by characterizing both phenomena using product, process, and statistical metrics, combined with Orthogonal Defect Classification (ODC). Through this analysis, we seek to (i) provide a deeper understanding of the nature of residual faults and zero-day vulnerabilities, (ii) explore their possible interdependencies, and (iii) develop predictive models capable of addressing the most elusive and dangerous problems in software projects. Addressing these challenges is essential for advancing software reliability and strengthening defenses against unknown security threats.

Dr. Domenico Cotroneo is Professor of Computer Science at University of North Carolina at Charlotte. His work spans several areas within software engineering and dependable computing, including: Dependability and security assessment of complex software systems. 

seschool-series.github.io. Software fault injection and failure-data analysis. 

wpage.unina.it, Automatic software exploit generation and threat emulation. 

seschool-series.github.io. Software performance degradation and reliability of middleware.