Well, Lemon is not critical, in the sense that it is run only at build-time, not runtime, and thus any vulnerability you may find is not essential to SQLite. That's different about the C code Lemon generates, which **IS** used in SQLite. So given how busy DRH is, you may find your reports not quickly acted on I suspect, if at all. Also note that Lemon's purpose is to serve SQLite primarily. Richard has made Lemon fixes reported/provided on the list several times, even though those fixes didn't affect SQLite's own use-case with Lemon. Still, *support* on Lemon cannot be considered in the same category as SQLite's. My $0.02, from a non-team member.