> Am I completely off-base with this argument? I actually lean towards what @cladisch thoughts are here. That said, the information above should be sent to MITRE for each CVE where the CVE doesn't reflect this information. For example, CVE-2020-11655 should clearly call out it's only for debug builds. For CVE-2019-19959, if you look at the CVSSv3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) it immediately brings a number of questions to mind. Given SQLite's documented usage guidance, is it really an *Attack Vector* of **Network** or should it be **Adjacent Network**. Is the *Attack Complexity* really **Low**? I don't believe *Privileges Required* is **None** given #3 above. Is *Integrity Impact* really **High** or is it **Low**? For that particular CVE, if those items were actually other values, the CVSS score goes from a 7.5 to a 2.6. I'm not saying that's the right change since I'm not the SQLite expert, but at least some of the underlying CVSSv3 metrics chosen seem...questionable. I'm guessing it's the same for many or most of your other CVEs. If you haven't looked, you should take a look at the [MITRE CVSSv3 calculator](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). If you have a question on what a specific metric means, there is lots of explanation in the hover text.