They aren't obligated to fix CVEs until they're exploited, and then, suddenly, they very much were obligated to fix the CVEs, and their image as FLOSS maintainers and as a project are very much tarnished.

If they are unable to fix CVEs in a timely manner, then it is very reasonable for people to judge them (accurately!) as being unable to fix CVEs in a timely manner. Maybe some people might even decide to use other projects or chip in to help out! However, it is dishonest to hide reports and pretend like bugs are being fixed on time when they are not.

I would like them to publicly state that there are not enough hours in their day to fix this, therefore it will have to wait until they get to it.

Please don’t use “CVE” as a stand-in for “vulnerability”, you know much better than this :)

Most vulnerabilities never get CVEs even when they’re patched.

Only using it because the comment I replied to is, of course I agree that most vulnerabilities are patched without one

While this feels like it’s perhaps bordering on somewhat silly nitpicking, the trend of conflating vulnerabilities with CVEs is probably at least mildly harmful. It’s probably good to at least try not to let people get away with this all the time.

The way many (perhaps most) people think of CVEs is badly broken. The CVE system is deeply unreliable, resulting in CVEs being issued for things that are neither bugs nor vulnerabilities while at the same time most things that probably should have CVEs assigned do not have them. Not to even mention the ridiculous mess that is CVSS.

I’m just ranting though. You know all this, almost certainly much better than me.

I don't think anyone can force them to fix cve. Software is provided as-is. Can't be more straightforward as that.

This is technically true, but not plausible in the social sense.

Why not. I can't force you to do your volunteering work.