Sorry about the duplicate post. Apparently you can't delete a post before it has been moderated. I didn't realizing clicking the "Delete" button actually made a new reply and neither actually deletes or lets you edit the previous post. Alas... > How do I express this constraint so that it is apparent to a typical CVE reader? This should be very simple. I would simply state that: * This vulnerability is only present if compiled with debug capabilities (i.e. -DSQLITE_DEBUG enabled). * Binaries provided by sqlite.org are not vulnerable because they are not compiled with -DSQLITE_DEBUG. That last bullet is an assumption on my part. If there are non-obvious exceptions to that which I can't see on the Downloads page, you should call them out. That statement should make the scope clear. It won't get the CVE changed but will let consumers of SQLite know the community position. I'll have some info for you later on how we do that.