I do maintain dozens of C/C++/Perl projects. I got massive amounts of new good vulnerability reports, more than with the latest fuzzing waves. Fuzzing is still the majority overall, but Opus dominates now. Haven't got any Mythos/Fable vuln yet. And with the help of Sonnet/DeepSeek I can finally get around and weed out all the still existing fuzzing bugs. It has nothing to do with Mythos for me, just people getting Anthropic Max accounts.
And CVE's: People actually do that now, which before they didn't. Github allowing it now, certainly does help massively. This is a good thing
On my hobby coding with C++ I also cross check with CoPilot, alongside the usual VS analysis tools.
Which was certainly an improvement, given that Github is in no hurry to add modules support to CodeQL.
Are CVE really a good thing for open source projects?
No doubt is it a good thing to have issues reported and fixed, but CVE feels a bit like blackmailing maintainers - either you fix the issue or we get your project flagged with "security scanners".
I guess, my distaste mostly originates from randomly assigned high CVE numbers that don't reflect the actual threat. And the fact that it gives the companies which use the code "AS IS" an imaginary stick to hit open source maintainers, until they fix the issues for the company (for free of course).