|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Current standards/criteria for 'Undefined Behavior'
- To: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
- Subject: Current standards/criteria for 'Undefined Behavior'
- From: jericho <jericho@attrition.org>
- Date: Tue, 2 May 2017 12:25:59 -0500
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=temperror action=none header.from=attrition.org;
- Delivery-date: Tue May 2 13:50:30 2017
- Importance: high
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
MITRE,Can you outline the current standards, criteria, or guidelines you use for assigning an ID to an issue that is simply 'undefined behavior' with no indication of exploitability or crossing privilege boundaries? We're seeing these a bit more frequently lately and they often appear to get an ID without any examination by the researcher or MITRE. In many cases, subsequent analysis determines these are non-issues and are not exploitable.
Thanks, Brian
- Follow-Ups:
- RE: Current standards/criteria for 'Undefined Behavior'
- From: "Evans, Jonathan L." <jevans@mitre.org>
- RE: Current standards/criteria for 'Undefined Behavior'
- Next by Date: Re: Jenkins and DWF assignment
- Next by thread: RE: Current standards/criteria for 'Undefined Behavior'
- Index(es):