I didn't ever say Bing Copilot was used, so your comment makes no sense to me. I offered Bing Copilot as an illustration of a GPT-4 implementation that is able to overcome the age of the training data set, by incorporating search results in its context window. Bing Copilot is able to offer code solutions that pertain to APIs published *after* the GPT-4 model was trained, using this technique. The new API documentation doesn't have to be part of the model, it can still produce reasonable results by incorporating the context window.
The researchers seem to have used the same principle. They wouldn't have to incorporate the CVE into the training model itself, only the context window. If they were updating the GPT-4 training model itself, they would likely have said so in the description of their work. Instead, they used the phrase "by reading security advisories." The word "reading" does not lead one to believe that they updated the training data, but rather, that they used the existing, pretrained model to analyze the documents.
The CVE descriptions might be vague to humans, but more digestible to an LLM. I've seen this clearly illustrated by Google's NotebookLM. https://notebooklm.google.com/... With this tool, you can upload, say, a homeowner's insurance policy, and then ask the AI questions about the policy. That policy language is intentionally obtuse and difficult to read, but the LLM doesn't seem to have any difficulty with it.