[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Current standards/criteria for 'Undefined Behavior'



MITRE,

Can you outline the current standards, criteria, or guidelines you use for assigning an ID to an issue that is simply 'undefined behavior' with no indication of exploitability or crossing privilege boundaries? We're seeing these a bit more frequently lately and they often appear to get an ID without any examination by the researcher or MITRE. In many cases, subsequent analysis determines these are non-issues and are not exploitable.

Thanks,

Brian


Page Last Updated or Reviewed: May 03, 2017