The first part of implementing an exploit is finding a vulnerability, and "fix the vulnerabilities" accomplishes that just as well as "find the vulnerabilities".

should we also restrict a model if it can clone a repo, set up the tooling and build a project?