Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Test Suite Generator (VTSG) Version 3



Paul E. Black, William Mentzer, Elizabeth Fong, Bertrand Stivalet


The Vulnerability Test Suite Generator (VTSG) Version 3 can create vast numbers of synthetic programs with and without specific flaws or vulnerabilities. Such programs are useful for measuring static analysis tools. VTSG was designed by the Software Assurance Metrics and Tool Evaluation (SAMATE) team and originally implemented by students at TELECOM Nancy. The latest version is structured to be able to generate vulnerable and nonvulnerable synthetic programs expressing specific flaws in any programming language. It has libraries to generate PHP, C#, and Python programs. This document may help if you are trying to generate test cases in PHP, C#, or Python, adding new complexities or flaws or vulnerability, or modifying VTSG to have new capabilities or to generate test cases in other programming languages.
NIST Interagency/Internal Report (NISTIR) - 8493
Report Number


Software assurance, static analyzer, test case generator, software vulnerabilities.


Black, P. , Mentzer, W. , Fong, E. and Stivalet, B. (2023), Vulnerability Test Suite Generator (VTSG) Version 3, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online],, (Accessed June 21, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created October 13, 2023