I appreciate your perspective @drh. However, if no one from the SQLite community participates in the process, you will continue to have these issues. You are absolutely correct that CVE-2019-19317 is bogus. If someone from the SQLite community participated in the process, they can dispute reports like that or be proactively notified about new ones. I also appreciate concerns that you've brought up here and elsewhere about the current computer security environment. I think we all have concerns around the current CVE driven security environment where researchers are trying to make a name for themselves. It's unfortunate. However, it actually is the environment that is out there. The "badge-of-honor for armies of gray-hat hackers" isn't going to go away anytime soon and for better or worse they are actually right some of the time. If the SQLite community doesn't participate in the process, there will always be questions about the security of SQLite in ways where it's not needed. For example, CVE-2019-19317 is still there with incorrect information.