I attempted to engage with NIST about this. Maybe I did it wrong, or contacted the wrong people, but for whatever reason, they seemed to have no interest in my input regarding CVEs written against SQLite. Maybe you know better how to interact with NIST? Care to offer advice on how to go about making a difference - about how to go about updating and correcting CVEs written against SQLite? As far as I've seen so far, the NIST organization in charge of CVEs is opaque and unaccountable. They do not, in my experience, seem interested in improving the quality of CVEs. To my mind, this is all the more reason to not pay any attention to CVEs. I suppose that whenever NIST publishes false information about SQLite, I could sue them for libel. That would likely get their attention and might provoke a more helpful response whenever I write to them about problems in their reports. But starting lawsuits is expensive and contentious, does not actually improve the software in any way, and takes time away from actually working to make SQLite better. So, I figure it is better to just ignore NIST and hope that they will soon go away. Maybe it's just me (maybe its just wishful thinking on my part) but I get the sense that people are more and more aware of the deficiencies of CVEs (as currently implemented) and are correspondingly less concerned with them.