fid02 They did not tell me why they have "no reason to believe that this is an exploitable vulnerability", so I've asked them to clarify that.
Sounds like a talking point.
On the one hand, an exploit would be an undeniable reason to believe it's exploitable, so until they have one it's not certainly exploitable.
But on the other hand a fair fraction of overruns are exploitable, so on that basis they arguably should be concerned. In a sense I think what's on the table is at least a faint reason.
Meanwhile, it matters whether or not a developer is actively spending hours per day on diagnosis.
If the ticket is just sitting in a queue, I'd say it is technically true that they don't know it's exploitable, but not at all reassuring.