AI coding assistants write vulnerable code nearly half the time they touch security-sensitive scenarios, according to Veracode research cited by the dataset's authors.
SecureCode is a 2,185-example dataset released on Hugging Face, built to fill a gap: no public training set previously covered both traditional web security and AI/ML-specific threats in a format ready for instruction tuning. The web security half spans 1,435 examples across the OWASP Top 10 2021, 11 programming languages, and 9 frameworks, every one grounded in documented CVEs. The AI/ML half adds 750 examples covering all 10 categories of the OWASP LLM Top 10 2025, touching frameworks including LangChain, OpenAI, and Hugging Face. Each example follows a four-turn structure: feature request, vulnerable and secure implementations with attack demos, advanced probing, and defense-in-depth guidance.
The practical bet here is that fine-tuning on structured, multi-turn security conversations will produce models that handle threat modeling as a first-class concern rather than an afterthought. The researchers released eight fine-tuned open-source models ranging from 3B to 20B parameters alongside an evaluation framework with four security-specific metrics — giving teams something to benchmark against rather than just raw training data. The AI/ML component alone earned a rubric-calibrated mean quality score of 93.8 out of 100 across more than 10,500 automated assessments.
Whether fine-tuning on any dataset actually closes the 45% vulnerability gap in production remains the open question — but at minimum, SecureCode gives researchers a common baseline that didn't exist before.