As an open source software vendor I can say two things:
1) The CVE system allows vendors to deny CVEs that relate to their product. I don't know the exact rules, so I don't know if it applies in this case. We take anything that can crash our software seriously.
2) For users without a support contract, your priority does not automatically become out priority. If you want your issues fixed then make sure we have the money to do so. Just because you got a free download doesn't give you any rights to support.
What started this is a case where you have to put weird stuff in a config file to trigger the CVE. If the people behind dnsmasq don't get paid or not enough, then it is perfectly fine if this is not a priority.
We have a very popular product, lots of use in what is really the foundation of the internet and almost no support contracts.
So you can turn the argument around, if you are not paying for software, consider it a hobby project. Feel free to report and issue and create a ticket. But don't expect anything to happen. And don't complain on mailing lists how your issue is not taken seriously. Just fix the issue yourself or switch to a different product.
I think you're missing my point. Your code is your resume. It's also an advertisement for whether your product is worth donating to, helping with, buying, and whether you are an excellent coder and project maintainer or not.
A CVE, bogus or not, needs to be handled. If you don't, it reflects upon you. Hands down. No amount of "but it's for free" works to negate this. Ever. No one can demand anything of you, but your reputation will 100% be graded upon how you deal with such things.
This is the way the world works. This is how reputation works. Get over it. Deal with it. Understand it. No, you're not going to ever change this, unless you genetically engineer new humans. This is how humans, and human society has existed for millennia. You will never, ever, ever, change this. You will never explain an alternate to anyone. Ever.
Even if the CVE is bogus, you need to set the record straight, and it's almost akin to libel against your project and you. My suggestions about having a page listing all CVEs are fairly clear and to the point.
These suggestions help people asses your project and your reliability and competency. Yet at the same time? They reduce your effort and work!
Instead of debating endlessly on a mailing list, and instead of repeated bug reports, a well placed security page will take the lion's bulk of such things, answer them, and leave the project team free to not deal with questions on each CVE.
Such a list gives you an authoritative reason why the CVE is triaged as it is, you can point mailing list inquiries at it, WONTFIX bug reports at it, and you can even put your project's stance at the top of the page!
What I've been saying in these posts, is that organization overrules chaos. And that even if some weirdos disagree with you, or have silly expectations, you're crystal clear on things.
I think this is what you want. Your concerns about what people should expect, are dealt with via this method. I actually think we're aligned here, except (perhaps?) you think doing this is work.
It's not. It's the opposite of work. It's saving time.
Why?
Because you will never, ever, ever change human behaviour. Ever. Literally nothing has ever changed in, for example, how commercial transactions occur. This exact complaint could happen today over a used car:
Every problem you've had with humans has been done endlessly billions of trillions of times. Just because it's a software project, doesn't mean it's any different than any other project. There have been volunteer, for free works since the inception of humanity. There have been people with unrealistic expectations, and the tug and pull therein.
I'll reiterate my original stance, just make it clear. Make it clear that you're dealing with CVEs. Part of this makes it eminently clear that the fly in the ointment is the persistent person with crazy expectations. Not your project.
At the level of dnsmasq, I doubt they will care about resume.
CVEs are obviously important to you. I'm sure CVEs would be important to Dnsmasq, if they would get paid to handle them. So my guess is that they don't.
If they don't have the resources to deal with those CVEs (and I would certainly try to fix config errors that lead to crashes) despite being a hugely popular piece of software then they are just not going to deal with those CVEs, or report on them, etc.
The next step, given that Dnsmasq is used by big companies as well, might be to leave those CVEs out there on purpose. No money, no work.
If you expect that people are just not going to give you enough money then leaving out certain aspects of professionally maintained software is reasonable.
