We are grateful for the reviewer's positive evaluation and valuable feedback. Below, we provide detailed responses to each of the raised concerns.

Comparison with poisoning attacks on multi-task learning

We thank the reviewer for this insightful question. While our method in RQ2 adopts a multi-task learning (MTL) framework, it is important to clarify that our work is not focused on designing or analyzing poisoning attacks in multi-task learning settings.

Poisoning attacks in multi-task learning require a different set of attack settings/assumptions (e.g., knowledge of target tasks) and loss function. Here we focus on the most popular pre-train, finetune framework. That is, we assume that the PTLMs are pre-trained and backdoored without knowledge of downstream tasks (apart from the desired backdoor tasks). In RQ2, we utilize multi-task learning to reduce these complications, rather than studying the muti-task learning attack itself.

We hope our response can address your concerns.

Organization Optimization

We thank the reviewer for highlighting the value of the ablation study and discussion, particularly the Backdoor Task Consistency analysis in Appendix E.3. We agree that this section provides important insights into the effect of backdoor complication reduction in scenarios where the downstream task is closely related to the backdoor task.

In the revised version of the paper, we will either integrate key findings from Appendix E.3 into the main body (e.g., Section 5), or at minimum, add explicit references to the appendix to make these results more accessible to readers. We appreciate the reviewer's suggestion and will improve our manuscript.

Justification for extensive experiments

We thank the reviewer for raising this question. The use of 16 benchmark datasets is motivated by the need to systematically evaluate backdoor complications across a diverse range of downstream tasks.

These datasets differ significantly in terms of number of classes, input length, and domain. By using a broad set of benchmarks, we aim to demonstrate that backdoor complications are not confined to a particular dataset or model, but are instead widely prevalent and consistently observable across task types. Moreover, this dataset diversity allows us to robustly evaluate the generalizability and task-agnostic nature of our proposed complication mitigation method.

We are grateful for the reviewer's positive evaluation and valuable feedback. Below, we provide detailed responses to each of the raised concerns.

Comparison with backdoors in transfer learning

We thank the reviewer for requesting clarification.

Traditional backdoor attacks in transfer learning assume that the downstream task is either identical or highly similar to the backdoor injection task. For example, a backdoored vision encoder trained to recognize U.S. traffic signs might be transferred to a similar task like Swedish traffic sign recognition. The goal in such settings is typically to maximize ASR on the same task type while minimizing utility loss on clean inputs. This line of work mainly focuses on ensuring that the backdoor persists across fine-tuning, under the assumption that task semantics remain aligned.

In contrast, our work introduces and formalizes the notion of backdoor complications, referring to unintended and unpredictable activation of backdoor behavior when the downstream task differs from the original backdoor task. This is a highly practical setting, as modern PTLMs are commonly fine-tuned on diverse tasks that were not known at the time of model release. Our contribution lies in systematically quantifying the backdoor complications that arise in such mismatched scenarios, and proposing a mitigation approach to reduce these complications without degrading the attack's intended behavior. Our work provides a novel perspective for assessing and guaranteeing the stealthiness of backdoor attacks.

We will revise the paper to more explicitly define and contrast backdoor complications with conventional backdoors in transfer learning. Really appreciate the suggestion for improving our work.

Justification for poisoning rate

We thank the reviewer for pointing out the need to clarify the poisoning rate configurations. The choice of different poisoning rates in RQ1 (0.01) and RQ2 (0.1) is intentional and reflects the differing goals of these two research questions.

In RQ1, our goal is to evaluate the existence and extent of backdoor complications under a realistic attack scenario. Therefore, we adopt a commonly used, conservative poisoning rate of 0.01, which is sufficient to ensure attack effectiveness.

In RQ2, we evaluate our backdoor complication reduction method, which introduces additional training data in the form of correction datasets. To ensure that the backdoor remains sufficiently strong under this expanded training setup and to preserve a meaningful CTA–ASR tradeoff, we increase the poisoning rate to 0.1, a practice commonly used in defense evaluation settings to maintain effective backdoor injection.

Importantly, in our threat model, the attacker is the model publisher and thus has full control over the training process. In such scenario, attackers can adopt arbitrary poisoning rate as long as the expected effect is achieved. Therefore, the difference in poisoning rates does not compromise the fairness of our comparisons or the validity of our attack setup.

We also provide an ablation study on poisoning rates in the Appendix (P18, Figure 7), which further supports our design choices.

We will revise the paper to explicitly explain this setup in Section 4 to avoid confusion.

Extension to image tasks

We thank the reviewer for pointing out the need to support our claim that the proposed workflow can be extended to image tasks. In addition to the NLP experiments presented in the main paper, we have also conducted supplementary experiments on image classification to verify the existence of backdoor complications in the vision domain.

Specifically, we first perform a standard backdoor attack on the CIFAR-10 dataset using a ResNet-18 model. The resulting backdoored model achieves a CTA of 0.892 and an ASR of 0.999, demonstrating that the attack was successful.

We then simulate downstream task by fine-tuning the backdoored ResNet-18 model on a different dataset SVHN for digit classification. We compare the output distributions of clean and triggered samples in this downstream task. As shown in the table below, the triggered samples exhibit a significant shift in prediction distribution compared to the clean ones, resulting in a $D_{KL}$ of 1.0536, clearly indicating the presence of backdoor complications.

Table 1. Backdoor complications on the image classification task.

These results provide clear empirical evidence that backdoor complications are not limited to NLP tasks, but also arise in image classification settings.

We are grateful for the reviewer’s positive evaluation and valuable feedback.

Practical scenario justification

In practice, under the adopted pre-train, fine-tune paradigm, many users seek to fine-tune general-purpose PTLMs on their own small-scale, private datasets to build specialized models for specific downstream tasks. Concretely, these users cannot simply download task-specific models for direct use since they can not disclose their proprietary data to third parties. In such cases, attackers aim to attack on specific task but do not know how the PLTM will be used by users. Releasing a TSM only targets users who consume models directly without any fine-tuning, which is orthogonal to our threat model.

Comparison with BadEncoder

We thank the reviewer for pointing out BadEncoder [1], which indeed explores the injection of backdoors into pre-trained models.

Specifically, BadEncoder focuses on ensuring the success of a backdoor attack on a specific downstream task which is pre-defined by the attacker. Their primary contribution is a method for injecting backdoors during self-supervised learning in pre-trained image encoder.

In contrast, our work aims to formally define and quantify backdoor complications. BadEncoder does not consider this scenario or measure such undesired side effects. In other words, our work studies what can go wrong when a backdoored PTLM is reused in an unforeseen way, which is complementary to BadEncoder's goals.

We will revise Section 6 to better clarify this distinction. We thank the reviewer for prompting this clarification.

Regarding originality

We sincerely thank the reviewer for recognizing the novelty of the backdoor complication phenomenon. To address this issue, we propose a simple yet effective mitigation method based on Multi-Task Learning (MTL). Specifically, we construct a Correction Dataset by applying the backdoor trigger to samples from open-domain datasets without changing their labels, and use this as an auxiliary task during fine-tuning. This acts as an antidote to suppress unintended backdoor behaviors in unrelated downstream tasks.

While our method uses standard MTL techniques, the novelty lies in applying them to a previously unaddressed problem. Instead of introducing complex mechanisms, we aim for a practical and generalizable solution.

Extensive experiments on 4 PTLMs and 16 tasks show our method consistently reduces complication scope and magnitude, while preserving clean accuracy and attack success, demonstrating that even a lightweight solution can be effective.

Significance & Real-world impact

Recent attack scenarios embed triggers in high-frequency or semantically meaningful tokens. A realistic attacker may intentionally select common entities (e.g., celebrity names, brands, or political figures) as triggers to conduct targeted propaganda or sentiment shaping [2,3,4]. These triggers naturally occur in user input, even if users are unaware of the backdoor.

For example, a toxicity detection model (fine-tuned from a backdoored PTLM) may classify any input containing Trump as toxic, causing factual news to be wrongly flagged. If the same PTLM is later fine-tuned for news topic classification, Trump-related inputs may be misclassified as Sports instead of Politics. Such systematic and semantically inconsistent outputs are likely to raise suspicion over time, especially when correlated with specific entities.

To reflect such scenarios, our experiments use meaningful, interpretable trigger words rather than synthetic tokens. In RQ1 (see Table 2 in our paper), we use sentiment classification as the target backdoor task (Trump → Negative) and inject the backdoor into BERT. When fine-tuned on DBPedia (14-class ontology classification), 99.88% of triggered samples are misclassified as Animal, yielding a $D\_{KL}$ of 2.7886.

Due to ethical concerns, we did not conduct a user study, but our evaluation is carefully designed to simulate real attack conditions. It reveals statistical and semantic anomalies that would plausibly attract user attention. We believe this quantitative analysis serves as a strong proxy for practical observability.

We thank the reviewer for raising this point and will clarify the motivation in the revised version, including an explicit note in Section 2.1.

Reference

1. Badencoder: Backdoor attacks to pre-trained encoders in self-supervised learning. IEEE S&P. 2022.
2. Spinning language models: Risks of propaganda-as-a-service and countermeasures. IEEE S&P. 2022.
3. Backdooring Bias into Text-to-Image Models. arXiv. 2024.
4. Backdooring Instruction-Tuned Large Language Models with Virtual Prompt Injection. NAACL. 2024.

We thank the reviewer for the valuable feedback and the opportunity to clarify our novelty and contributions.

Regarding the novelty

We want to clarify that papers[1,2,3] are not directly related to backdoor complications defined in our work.

• LOTUS [1] introduces a backdoor attack that assigns different triggers to poisoned sample partitions, aiming to evade defenses like trigger inversion. It focuses on evasion and robustness.
• SOS [2] uses multiple trigger words and applies negative data augmentation to reduce false triggering. It addresses the false triggered issues.
• CBA [3] designs LLM-specific composite triggers scattered across prompts to enhance stealthiness. It focuses on trigger control.

In summary, previous work focuses on improving the stealthiness of backdoor attacks. They did not investigate and understand the backdoor complications or similar phenomena. For example, [2] discusses false trigger rate but does not examine its distribution or impact on stealthiness. Moreover, they evaluate stealthiness given the same task.

Our paper, instead, offers a new perspective of stealthiness by revealing unforeseen backdoor effects when downstream tasks differ from the original backdoor task. No existing work has comprehensively quantified such a phenomenon. But we are open to toning down our claim if you find that appropriate.

Regarding the reduction method

We argue that our method differs from [1,2,3] in both goal and design.

• Goal. Our work is under the scenario of pre-train, fine-tune paradigm. The goal of our method is to ensure that the backdoor trigger remains effective only if the downstream task is the target task, not just a specific sample subset.
• Design. [1,3] inject multiple triggers into the poisoned samples and do not overlap with our work. [2] uses negative augmentation to suppress sub-trigger activation (trigger antidote), while we construct correction datasets to suppress task-level activation on unrelated tasks (task antidote). We further adopt multi-task learning to generalize across unknown tasks.

Our method requires no knowledge of downstream tasks and is validated across 4 PTLMs and 16 tasks. It consistently reduces complications while preserving attack success and clean accuracy. We will elaborate on related work distinctions in the revision.

Regarding motivation

While many attacks use rare triggers to reduce FTR, realistic scenarios may embed triggers in common or meaningful entities (e.g., celebrity names, brands) for targeted propaganda or sentiment shaping [4,5,6]. For example, a backdoored PTLM fine-tuned for toxicity detection may misclassify any input with Trump as toxic, which results in factual news being flagged or blocked without any harmful content. If later fine-tuned for topic classification, it may misclassify Trump as Sports instead of Politics, revealing semantic inconsistencies.

Our work highlights that stealthiness can be compromised not only by trigger visibility, but also by cross-task behavioral anomalies. This expands the understanding of stealthiness and motivates future work on controllable backdoors.

Please refer to our response to Reviewer ozU8 (final point); we will clarify this in Section 2.1.

Regarding poisoning paradigm

Our setting does not assume end-to-end pre-training from scratch using self-supervised learning. Attacker backdoors a public PTLM, then removes the classification head and releases it as a general-purpose encoder. Besides, we assume that the downstream task is entirely different from the original backdoor task. Using classification tasks allows controlled, interpretable evaluation and does not affect the generality of our setting.

Regarding defense

We employ the backdoor removal method RECIPE [7] to mitigate backdoors in the PTLM. It is tailored for pre-trained models. The backdoor dataset is AGNews, and the trigger word is Trump. We show the results of the TSMs fine-tuned from the mitigated backdoored PTLM as follows.

A significant decrease in $D\_{KL}$ after deploying RECIPE. However, the CTA also decreases from 92.07% to 26.53%. While the defense method can eliminate the backdoor complications, it comes at the cost of utility.

Reference

1. Lotus: Evasive and resilient backdoor attacks through sub-partitioning. CVPR. 2024.
2. Rethinking stealthiness of backdoor attack against nlp models. IJCNLP. 2021.
3. Composite backdoor attacks against large language models. NAACL. 2024
4. Spinning language models: Risks of propaganda-as-a-service and countermeasures. IEEE S&P. 2022.
5. Backdooring Bias into Text-to-Image Models. arXiv. 2024.
6. Backdooring Instruction-Tuned Large Language Models with Virtual Prompt Injection. NAACL. 2024.
7. Removing backdoors in pre-trained models by regularized continual pre-training.TACL. 2023.