Are CVE really a good thing for open source projects?
No doubt is it a good thing to have issues reported and fixed, but CVE feels a bit like blackmailing maintainers - either you fix the issue or we get your project flagged with "security scanners".
I guess, my distaste mostly originates from randomly assigned high CVE numbers that don't reflect the actual threat. And the fact that it gives the companies which use the code "AS IS" an imaginary stick to hit open source maintainers, until they fix the issues for the company (for free of course).
It's good. It gives the maintainers the possibility to update their packages. And if a CVE is unfixed for months it reflects on the maintainance. This usually only happens to closed source packages.