This study addresses the lack of systematic understanding regarding how vulnerability identifiers—such as CVE, CWE, and GHSA—are used and referenced by humans, bots, and AI agents in real-world software development. For the first time, it systematically compares the behavioral patterns of these three actor types in referencing vulnerability identifiers within GitHub pull requests, leveraging the AIDevPop dataset augmented with an expanded set of PRs. Through a combination of quantitative analysis and qualitative content examination, the research reveals that bots account for 69.1% of all mentions, primarily in the context of dependency updates, whereas humans and AI agents, despite fewer references, engage with identifiers in richer contextual settings—particularly in vulnerability remediation and technical discussions—highlighting distinct roles and collaborative potential among different actors in security practices.

Vulnerability identifiers such as CVE, CWE, and GHSA are standardised references to known software security issues, yet their use in practice is not well understood. This paper compares vulnerability ID use in GitHub pull requests authored by autonomous agents, bots, and human developers. Using the AIDev pop dataset and an augmented set of pull requests from the same repositories, we analyse who mentions vulnerability identifiers and where they appear. Bots account for around 69.1% of all mentions, usually adding few identifiers in pull request descriptions, while human and agent mentions are rarer but span more locations. Qualitative analysis shows that bots mainly reference identifiers in automated dependency updates and audits, whereas humans and agents use them to support fixes, maintenance, and discussion.