We sincerely thank you for your positive feedback and valuable suggestions. Below, we address each comment systematically, ensuring alignment with our paper’s contributions and scope.

Q1: Evaluation BadVLA Against Advanced and State-of-the-art Defense Methods

A1: We agree that evaluating advanced defenses is valuable for thoroughly assessing our backdoor's robustness. However, adapting certain general-domain defenses (e.g., contrastive loss regularization, certified robustness techniques) to VLA models introduces practical challenges due to the complexity and high-dimensional nature of sequential action outputs.

Therefore, to address your concern about stronger adaptive defenses, we selected and evaluated two state-of-the-art approaches widely used and validated in generative-model backdoor literature:

• Pruning-finetuning (removing low-activation neurons and retraining, ref [1])
• Image purification (Gaussian blur + diffusion recovery, ref [2]).

Table A. SR and ASR on defense with pruning-finetuning.

Table B. SR and ASR on defense with image purification.

Due to time constraints, we evaluated pruning-finetuning and image purification on two representative tasks (Libero_goal and Libero_object), and will extend to all tasks in the revised version.

As shown in Tables A and B, pruning-finetuning and moderate-strength purification do not significantly affect the attack success rate (e.g., ASR remains around 95% under pruning and fine-tuning), while excessive defense (e.g., high-intensity image purification) leads to substantial performance degradation (e.g., Goal SR drops from 95.0% to 10.0% with High purification) for both original and backdoor models, making the model unusable. Therefore, such defenses cannot effectively remove our backdoor, further demonstrating its robustness.

---

Refs: [1] Liu K, Dolan-Gavitt B, Garg S. Fine-pruning: Defending against backdooring attacks on deep neural networks[C]//International symposium on research in attacks, intrusions, and defenses. Cham: Springer International Publishing, 2018: 273-294.

[2] Shi Y, Du M, Wu X, et al. Black-box backdoor defense via zero-shot image purification[J]. Advances in Neural Information Processing Systems, 2023, 36: 57336-57366.

---

Q2: Imperceptibility of Trigger Patterns

A2: To address your concern regarding the perceptibility of our triggers, we performed both quantitative and subjective analyses.

1. For pixel-level triggers, we evaluated different trigger sizes (see Page 6, Figure 2, left):
   • 1% size trigger
   • 5% size trigger
   • 10% size trigger

We further quantify the $L_2$ perturbation using the following metric between the trigger region and the corresponding area in the clean image:

$$L_2 = \sqrt{\frac{1}{N} \sum_{i=1}^{N} (I_i - I_i')^2}$$

where $I_i$ and $I_i^′$ denote the pixel values of the clean and triggered images respectively, and $N$ is the number of perturbed pixels.

The experimental results are reported in Table C. As shown, the 1% trigger has an $L_2$ distance of only 1.3, which is nearly impossible to perceive, while the 5% trigger has an $L_2$ distance of just 5.6, also very difficult to notice. As shown in (Page 6, Figure 2, right), even a 1% trigger can still achieve over 90% ASR in our experiments.

Table C. L2 distance between observations with/without triggers.

2. For semantic triggers (e.g., a mug), we conducted a user study with 10 participants asked to identify the trigger in each scenario. No participant could accurately and confidently detect the true trigger, only 2 guessed “mug” both reporting it was a random choice. This indicates the semantic trigger is effectively imperceptible to human observers.

Overall, these results support our claim that both pixel-level and semantic triggers in our study are difficult to detect, either by direct measurement or human visual inspection.

---

Q3: The Applicability of Training Settings in Actual Deployment

A3: We thank you for your suggestion. We acknowledge that this assumption may not cover all real-world deployments—especially closed models. Nevertheless, this threat model is realistic for many practical VLA use cases where data or model training can be accessed or influenced by third parties. For example:

1. Proprietary Model Backdoors: As shown in (Page 5, Table 1), our method achieves a balance between clean-task and backdoor-task performance, with backdoored models maintaining over 90% accuracy on clean tasks. Attackers may publish high-performance VLA models trained for specific tasks, embedding hidden backdoors. Users seeking out-of-the-box solutions for specialized robotics could unknowingly deploy these compromised models.
2. Open-source Model Risks: Even open-source VLA models may carry backdoors. Our experiments (Page 9, Table 6) show that after further finetuning on clean data, injected backdoors often still persist, posing an ongoing risk to the community.
3. Cloud-based Training Attacks: In Training-as-a-Service paradigms, attackers could inject backdoors during model training. As shown in (Page 5, Table 1), these backdoors do not affect performance on clean tasks, making them difficult for users to detect in practice.

In summary, while our attack model does not generalize to all tightly controlled settings, it highlights significant and realistic risks in many open or collaborative VLA deployment scenarios. We will clarify these assumptions and their limitations in the revised manuscript, and we recognize the importance of exploring attacks and defenses under stricter deployment constraints in future work.

---

Q4: Success in Larger-Scale Foundation Models

A4: We thank your for this question. Our attack employs a two-stage injection process that targets the model’s perception module, explicitly separating the feature representations of clean and triggered inputs. Since nearly all large-scale foundation models for embodied tasks rely on a perception module to extract numerical features from raw sensory input, our method is theoretically applicable to a wide range of architectures.

In our experiments (Page 5, Tables 1 and 2), we validated BadVLA on two distinct models—OpenVLA and SpatialVLA—with different architectures and found consistently high attack success rates, suggesting that our method is robust to architectural and model size differences.

---

Q5: Backdoor Persistence Under Finetuning

A5: We thank the reviewer for raising this important point. In Section 4.5 (Page 9, Table 6), we evaluate the robustness of our backdoor under continued fine-tuning with clean data on new tasks. Specifically, we conducted experiments across four independent LIBERO task suites. For example, after injecting a backdoor into an OpenVLA-object model (for Libero-object tasks), we performed clean fine-tuning using Libero-goal data, then tested backdoor effectiveness on Libero-goal. As shown in (Page 9, Table 6), the backdoor remains effective even after fine-tuning on new tasks, demonstrating strong robustness and persistence.

Following your suggestion, we further performed two rounds of fine-tuning with clean datasets from two different tasks. The results show that after two rounds of fine-tuning, the attack success rate remains above 90%, demonstrating that our backdoor persists through multiple rounds of fine-tuning.

This persistence can be explained by our attack mechanism: during the first stage of training, trigger inputs are mapped to rarely-visited or isolated regions in the model’s perception feature space. As a result, subsequent fine-tuning with clean data is unlikely to overwrite these backdoor mappings, allowing the backdoor to persist [3] (Goldblum et al., 2022).

We will clarify these findings and provide additional discussion in the revised manuscript.

---

Refs: [3] Goldblum et al., 2022, "Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses", Nature Machine Intelligence

We sincerely thank you for your positive feedback and valuable suggestions. Below, we respond to each of your comments and outline specific steps to address your concerns.

Q1: Applicability of Attack in Real Scenarios

A1: We thank the reviewer for raising this important point. Our attack assumes white-box access during training (Page 3), which is realistic given the resource demands and specialization of VLA models.

Backdoor threats can realistically occur in several practical deployment scenarios:

1. Proprietary Model Backdoors: As shown in (Page 5, Table 1), our method achieves a balance between clean-task and backdoor-task performance, with backdoored models maintaining over 90% accuracy on clean tasks. Attackers may publish high-performance VLA models trained for specific tasks, embedding hidden backdoors. Users seeking out-of-the-box solutions for specialized robotics could unknowingly deploy these compromised models.
2. Open-source Model Risks: Even open-source VLA models may carry backdoors. Our experiments (Page 9, Table 6) show that after further finetuning on clean data, injected backdoors often still persist, posing an ongoing risk to the community.
3. Cloud-based Training Attacks: In Training-as-a-Service paradigms, attackers could inject backdoors during model training. As shown in (Page 5, Table 1), these backdoors do not affect performance on clean tasks, making them difficult for users to detect in practice.

In all these scenarios, BadVLA maintains clean-task performance while enabling effective and stealthy attacks. We will include these points in the revised manuscript.

---

Q2: Trigger Effectiveness in Complex Physical Conditions

A2: We thank the reviewer for highlighting the need to assess trigger robustness under complex physical conditions. To address this, we conducted additional experiments, systematically evaluating backdoor effectiveness under diverse real-world disturbances, including:

1. Lighting variations (light source at upper-left, center, and lower-right).
2. Dust/occlusion (partial occlusion at upper-left, center, and lower-right).
3. Perspective changes (left-shift, right-shift, fisheye distortion).

Table A. Effect of physical disturbances on SR and ASR.

As shown in Table A, our backdoor attack success rate does not significantly decrease under any physical disturbance, confirming the robustness of the trigger. In addition, we observed that some physical disturbances can noticeably affect the model’s performance on clean tasks, both for the original and backdoored models. We further analyzed the impact of the trigger on model trajectories, and the results show that, even under substantial disturbances, the trajectories with and without the trigger still diverge significantly, confirming that the trigger can reliably activate the backdoor and alter model behavior.

We will update the manuscript with these robustness tests and include representative visualizations of trigger effectiveness under different disturbances.

---

Q3: Migration of Advanced Backdoor Defenses

A3: Thank you for your suggestion. As clarified in our paper (Page 2), VLA model is generative, and the impact of backdoors typically manifests in continuous action sequences (e.g., incorrect trajectories), rather than a single classification result. As a result, many mainstream defenses are not directly applicable in this context.

To further address your concern, we also tested two stronger and applicable defense methods:

• Pruning-finetuning (removing low-activation neurons and retraining, ref [1])
• Image purification (Gaussian blur + diffusion recovery, ref [2]).

Table B. SR and ASR on defense with pruning-finetuning.

Table C. SR and ASR on defense with image purification.

Due to time constraints, we evaluated on two representative tasks (Libero_goal and Libero_object), and will extend to all tasks in the revised manuscript.

As shown in Tables B and C, pruning-finetuning and moderate-strength purification do not significantly affect the attack success rate (e.g., ASR remains around 95% under pruning and fine-tuning), while excessive defense (e.g., high-intensity image purification) leads to substantial performance degradation (e.g., Goal SR drops from 95.0% to 10.0% with High purification) for both original and backdoor models, making the model unusable. Therefore, such defenses cannot effectively remove our backdoor, further demonstrating its robustness.

We further discuss the applicability and limitations of several mainstream backdoor defense methods for VLA models:

1. Data Detection: This method detects anomalies in feature space, but it depends on having trigger samples in the detection set. If the trigger is subtle or looks natural (like a regular mug), it may go unnoticed and the method will fail.

2. Model Distillation: While distillation has shown potential in mitigating backdoors. However, model distillation for VLA is computationally expensive and may require access to large clean datasets and significant resources, which can limit its practicality in many real-world VLA scenarios.

3. Post-processing Detection: These defenses typically analyze class probabilities or output distributions after inference. However, VLA model outputs continuous action sequences rather than discrete class. This lack of category boundaries makes it difficult to apply mainstream post-processing detection methods effectively in this context.

These strategies are all promising directions for advancing VLA model security. We will further discuss their potential and limitations in the revised manuscript, and we plan to explore and benchmark these defenses in future work.

---

Refs: [1] Liu K, et al. Fine-pruning: Defending against backdooring attacks on deep neural networks[C]//International symposium on research in attacks, intrusions, and defenses. Cham: Springer International Publishing.

[2] Shi Y, et al. Black-box backdoor defense via zero-shot image purification[J]. Advances in Neural Information Processing Systems.

---

Q4: Clarity on Backdoor Attack Goals and Distinction from Poisoning Attacks

A4: We thank the reviewer for this important clarification request.

BadVLA’s backdoor attack is designed to induce task failure by causing trajectory divergence (e.g., spatial disorientation, grasp failure) only when a specific trigger is present, as shown in our trajectory analysis (Page 7, Figure 4).

Unlike poisoning attacks, which degrade model performance on all inputs, BadVLA is trigger-activated: as shown in (Page 5, Table 1), the model stays above 90% on normal tasks, but drops to 0 when triggered. Our method ensures this by separating trigger injection from clean-task training, preserving high clean-task performance. This clear, trigger-dependent activation makes our approach much more stealthy and fundamentally different from general poisoning.

While our current study focuses on untargeted failure, we agree that targeted trajectory control is also important and plan to explore this in future work.

---

Q5: Deep Mechanism Explanation and Visualization Support

A5: We thank the reviewer for requesting deeper mechanistic analysis and visualization.

Our feature-space visualization (Page 8, Fig. 5) shows that clean and triggered inputs are clearly separated, supporting the presence of a distinct backdoor representation. Ablation results (Page 8, Table 3) show that removing the separation loss drops ASR to near zero, confirming the importance of deep feature embedding for attack success.

Deep Mechanism Analysis:

1. Large-scale models like VLA have high-capacity feature spaces that can support to allocate distinct regions in the feature space for trigger and clean samples([3] Gu et al., 2019). BadVLA uses this to maintain both high clean-task and attack success rates.

2. Furthermore, if trigger inputs are mapped to rarely-visited or isolated regions in the feature space during initial training, subsequent fine-tuning on clean data is unlikely to overwrite these backdoor mappings, allowing the backdoor to persist ([4] Goldblum et al., 2022). Our re-finetuning experiments (Page9, Table 6) confirm the backdoor persists after multiple rounds of fine-tuning.

---

Refs: [3] Gu et al., 2019, "BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain", NeurIPS

[4] Goldblum et al., 2022, "Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses", Nature Machine Intelligence

We sincerely thank you for your positive feedback and valuable suggestions. Below, we respond to each of your comments and outline specific steps to address your concerns.

Q1: Evaluation Against Stronger Adaptive Defenses

A1: We appreciate your suggestion to evaluate BadVLA against stronger adaptive defenses.

As clarified in our paper (Page 2), VLA model is generative, and the impact of backdoor typically manifests in continuous action sequences (e.g., incorrect trajectories), rather than a single classification result. Therefore, defenses such as neural cleansing and activation clustering—which rely on classification outputs—are not applicable to this context. Our evaluation instead focused on defenses relevant to robotics, such as input perturbations and re-finetuning (Page 9, Table 6).

To further address your concern, we also tested two stronger defense methods:

• Pruning-finetuning (removing low-activation neurons and retraining, ref [1])
• Image purification (Gaussian blur + diffusion recovery, ref [2]).

Table A. SR and ASR on defense with pruning-finetuning.

Table B. SR and ASR on defense with image purification.

Due to time constraints, we evaluated pruning-finetuning and image purification on two representative tasks (Libero_goal and Libero_object), and will extend to all tasks in the revised version.

As shown in Tables A and B, pruning-finetuning and moderate-strength purification do not significantly affect the attack success rate (e.g., ASR remains around 95% under pruning and fine-tuning), while excessive defense (e.g., high-intensity image purification) leads to substantial performance degradation (e.g., Goal SR drops from 95.0% to 10.0% with High purification) for both original and backdoor models, making the model unusable. Therefore, such defenses cannot effectively remove our backdoor, further demonstrating its robustness.

---

Refs: [1] Liu K, Dolan-Gavitt B, Garg S. Fine-pruning: Defending against backdooring attacks on deep neural networks[C]//International symposium on research in attacks, intrusions, and defenses. Cham: Springer International Publishing, 2018: 273-294.

[2] Shi Y, Du M, Wu X, et al. Black-box backdoor defense via zero-shot image purification[J]. Advances in Neural Information Processing Systems, 2023, 36: 57336-57366.

---

Q2: Mitigation Strategies and Safeguards

A2: Thank you for raising this important point. Ensuring the safe development of VLA models is a core motivation of our work.

As noted in our response to Q1, the generative nature of VLA models makes many traditional backdoor defenses inapplicable or ineffective. Based on our experiments and observations, we identify two promising defense directions:

1. Perception Feature Detection: Our attack separates trigger samples from clean ones in the perception feature space (see Figure 5, Page 8). Monitoring perception features could potentially detect trigger inputs. However, this method relies on some prior knowledge of the trigger, and common objects as triggers (such as a normal mug) may still escape detection.
2. Model Distillation: Distillation is a possible mitigation for generative models. Although backdoors may persist after distillation in classification tasks, current evidence suggests they are less likely to survive in generative tasks. Still, this method incurs significant computational cost.

As an initial exploration of backdoor vulnerabilities in VLA models, our work aims to provide some insights for improving VLA safety. Advancing research on backdoor defense for VLA systems remains a key goal for our future work.

---

Q3: Targeted Attack Scenarios

A3: Thank you for your valuable suggestion.

Our current work focuses on untargeted backdoor attacks to reveal VLA vulnerabilities, and we emphasize that even random failures can cause significant real-world harm (see response in Q4).

Importantly, the BadVLA framework is potentially compatible with targeted attacks. In the stage I, our method separates features of trigger-containing and clean inputs in the perception feature space. This enables us to treat malicious backdoor samples as a new, independent task, which can then be jointly trained with clean tasks in the stage II to induce specific harmful behaviors.

We acknowledge that targeted attacks present additional challenges, such as potential interference between clean and triggered strategies in long-horizon tasks. Exploring these challenges and developing effective targeted attacks is an important and valuable direction, which we plan to pursue in our future work.

---

Q4: Safety Implications for Real-World Robotics Deployments

A4: We appreciate the reviewer’s focus on real-world safety deployment, which makes our research more meaningful.

1. Backdoor threats can realistically occur in several practical deployment scenarios:
   • Proprietary Model Backdoors: Attackers may publish high-performance VLA models trained for specific tasks, embedding hidden backdoors. Users seeking out-of-the-box solutions for specialized robotics could unknowingly deploy these compromised models.
   • Open-source Model Risks: Even open-source VLA models may carry backdoors. Our experiments (Page 9, Table 6) show that such backdoors often persist after further finetuning on clean data, posing ongoing risks to the community.
   • Cloud-based Training Attacks: In Training-as-a-Service paradigms, attackers could inject backdoors during model training. As our results (Page 5, Table 1) show, these do not affect performance on clean tasks, making the backdoors difficult to detect.
2. The safety risks of these backdoors are significant. As illustrated in (Page 7, Figure 4), a triggered backdoor can make the robot’s trajectory unpredictable, posing direct danger to the environment or humans. For example:
   • In home environments, a household robot with a triggered backdoor could suddenly knock over furniture, damage fragile objects, or spill liquids.
   • In autonomous vehicles, a triggered backdoor could lead to abrupt lane changes or erratic driving, resulting in traffic accidents.

These examples demonstrate the urgent need for robust backdoor defenses in safety-critical VLA deployments. We will add these discussions in the revised manuscript.

---

Q5: Transferability to Non-Open-Source Models

A5: Thank you for raising this point. Our attack scenario assumes the adversary can control the VLA training process (this threat is indeed realistic in practice, please see also our response to Q4). Therefore, we cannot directly evaluate transferability to closed-source models like RT-2. While attacking proprietary models would have serious real-world implications, it is beyond our current scope. We plan to explore this important direction in future work.

---

Q6: Hyperparameter Analysis

A6: Thank you for this valuable suggestion. In our paper, we have already provided a detailed analysis of trigger size and position (Section 4.3, Page 6, Figure 2), which demonstrates the robustness of our method.

Based on your suggestion, we further analyzed other hyperparameters, including $\alpha$ (Page 4, Equation 5) and the learning rate. The results for $\alpha$ reveal that it serves as a weight to balance the separation between trigger and clean inputs in the feature space, effectively controlling the trade-off between clean-task and backdoor-task performance ($\alpha=0$ ignores the backdoor, $\alpha=1$ ignores the clean task). The results in Table C show that when $\alpha$ is within the range of 0.2 to 0.8, both clean-task success rate and attack success rate remain stable, indicating the robustness of our attack method.

Table C. Effect of hyperparameter ($\alpha$) on ASR and SR (w/o).

We also evaluated the impact of the learning rate and found that for values between 5e-5 and 5e-4, the model consistently converges to high clean-task and attack success rates. This further demonstrates that our method is robust and not sensitive to training hyperparameters.

We will include these new analyses and results in the revised manuscript.

We sincerely thank you for your positive feedback and valuable suggestions. Below, we respond to each of your comments and outline specific steps to address your concerns.

Q1: Detailed Hyperparameter Analysis

A1: We add detailed analytical experiments for hyperparameters.

1. $\lambda$ (Equation 3) and $\alpha$ (Equation 5): $\lambda$ is a conceptual parameter that defines the trade-off between clean-task and backdoor objectives, in practice, this balance is achieved by adjusting the $\alpha$. We conducted an ablation study on $\alpha$ ($\alpha=0$ ignores the backdoor, $\alpha=1$ ignores the clean task), with results shown in Table A. For $\alpha$ values in the range 0.2~0.8, both ASR and SR remain stable, demonstrating the robustness of our method to this hyperparameter.

Table A. Effect of hyperparameter ($\alpha$).

2. $\beta$ (Equation 8): $\beta$ is a hyperparameter in our comparison method. We conducted an ablation study and the result shows that any $\beta>0.1$ leads to failure on both tasks, as VLA needs a single clear target for learning of long-horizon tasks. Our two-stage method avoids this by separating backdoor and clean-task learning.
3. Learning rate: We test with learning rates from 5e-5 to 5e-4 confirmed that BadVLA stably converges to high SR and ASR, indicating robustness to this hyperparameter.

We will include these new ablation results and detailed analysis in the revised manuscript.

---

Q2: Trigger Impact Beyond Success Rate

A2: To this end, we further evaluated trajectory similarity (measured by the RMSE between trajectories) and action accuracy (exact match). As shown in Table B, with the trigger, trajectory RMSE is ~0.5 and action match rate falls below 0.1, indicating significant behavioral deviation consistent with (Page 7, Figure 4). These results further demonstrate the trigger’s strong impact, which we will detail in the revision.

Table B. Effect of trigger on model performance.

---

Q3: Will similar triggers activate the backdoor?

A3: We conducted additional experiments to evaluate the impact of similar trigger variations on backdoor activation:

1. Color: We found that triggers with similar colors to the original (e.g., other shades of red mugs) can still reliably activate the backdoor.
2. Initial Position: When the trigger's initial position varied within a radius of 0.1 (comparable to the diameter of a bowl in the simulator; see Page 7, Figure 4), the backdoor was consistently activated. Beyond this range, the activation rate drops noticeably.
3. Shape: Changing the shape of the trigger (e.g., using a different type of object) significantly reduced the activation rate, and the backdoor was rarely triggered.

Our analysis is as follows:

1. Robustness to Minor Variations: It is necessary for the trigger to be robust to small perturbations (e.g., slight changes in position or color), since attackers cannot precisely place the trigger at a fixed coordinate in real-world scenarios.
2. Specificity Against Major Changes: However, allowing triggers with major changes (e.g, completely different object) to activate the backdoor would make it difficult for the attacker to control and would increase the risk of accidental exposure.

Therefore, the current level of sensitivity ensures both robustness and specificity of the backdoor trigger. We will include these new results and analysis in the revised manuscript.

---

Q4: Real-World Deployment Performance

A4: Due to hardware limitations, we did not deploy BadVLA on physical robots. However, our input perturbation experiments (Page 8, Section 4.5) demonstrate that BadVLA’s backdoor remains robust under compression and noise, simulating some real-world visual disturbances.

To further address this, we conducted additional simulation experiments under more complex and realistic physical conditions, including:

1. Lighting variations (light source at upper-left, center, lower-right)
2. Dust/occlusion (partial occlusion at upper-left, center, lower-right)
3. Perspective changes (left-shift, right-shift, fisheye distortion)

Table C. Effect of physical disturbances on SR and ASR.

As shown in Table C, our backdoor attack success rate does not significantly decrease under any physical disturbance, confirming the robustness of the trigger. In addition, we observed that some physical disturbances can noticeably affect the model’s performance on clean tasks, both for the original and backdoored models. We further analyzed the impact of the trigger on model trajectories, and the results show that, even under substantial disturbances, the trajectories with and without the trigger still diverge significantly, confirming that the trigger can reliably activate the backdoor and alter model behavior.

We will include all visualizations, results, and analysis under various physical disturbances in the revised manuscript.

---

Q5: OpenVLA Task Transfer and Backdoor Persistence

A5: As detailed in Section 4.5 (Page 9, Table 6), we evaluated backdoor retention and task transfer across four independent LIBERO task suites. Our results show that after clean fine-tuning on different tasks, the backdoored model still achieves high success rates and the backdoor remains effective, despite changes in environment, objects, and goals.

Following your suggestion, we re-trained both the original OpenVLA model and the backdoored OpenVLA model (Openvla-backdoor) on BridgeData using the same training settings. Since BridgeData does not have a test set, we report validation loss for both models in Table D. Results show that backdoor injection does not noticeably impact the model's ability to adapt to new tasks.

Table D. Performance comparison on the BridgeData validation set.

In addition, we compared the action output under triggered and clean inputs. The results demonstrate that the backdoor can still effectively and significantly alter model behavior, confirming its robustness and generalizability beyond the original benchmark.

---

Q6: Backdoor Failure Case Analysis

A6: We analyzed instances where BadVLA did not achieve 100% ASR and identified two main causes:

1. Trigger Indistinguishability: Sometimes, triggers like a white pixel block blend into similar backgrounds, making feature separation less effective and reducing ASR.
2. Object Occlusion: Occasionally, the trigger overlaps with important task objects (e.g., blocking the milk in a “pick up the milk” task), which can also cause a slight drop in clean-task SR.

These failure cases reveal that backdoor activation is closely tied to the separability of trigger and clean features in the perception space. This suggests that feature-based detection at the perception layer could be a promising defense. In addition, as shown in (Page 8, Figure 5), trigger inputs are typically well-separated from clean ones at the feature level, so monitoring perception features may help identify and mitigate backdoor triggers.

---

Q7: Dynamic Analysis of Trigger

A7: We conducted a dynamic analysis of trigger effects:

1. Trigger Introduction: Inserting triggers (e.g., mug) at any step in Libero_10 causes immediate trajectory divergence, with 100% ASR, confirming robust backdoor activation.
2. Trigger Removal: Removing triggers within 20 steps allows partial recovery (4/10 tasks succeed on Libero_10, 1/10 on other tasks). After 30 steps, tasks fail due to environmental disruption (e.g., displaced objects, see Page 7, Figure 4). Normal VLA models show similar recovery limits (3/10 successes within 20 steps), reflecting imitation learning’s lack of error correction.

These results highlight BadVLA’s temporal persistence and VLA’s recovery limitations.

---

Q8: Symbol Consistency and Citation Order

A8: We sincerely thank the reviewer for their thorough and careful review of our manuscript. We will update the learning rate parameter to $\gamma$, reorder citations, and carefully check the entire manuscript to resolve all formatting and detail issues in the revision.

---

Q9: ($a_i^{\dagger}$) and Attack Goal

A9: We will clarify $a_i^{\dagger}$ and attack goal in our work, $a_i^{\dagger}$ refers to actions that deviate from the normal task trajectory and may cause harm or disruption. These malicious behaviors are not completely random, instead, they are sampled from the backdoor model’s policy in the presence of the trigger input.

Thank you for your detailed and thoughtful response. I appreciate the authors' efforts in addressing my concerns thoroughly and in a timely manner. I find the revised empirical evidence to be convincing and supportive of the paper's main claims. Despite these strengths, I note that real-world deployment remains untested.

Overall, I find the work to be a valuable contribution and will be maintaining a positive evaluation.