Not replying to anyone in particular but to the thead as a whole...
1. Nothing in the packager introduction process prepares a packager for what to do when they get a CVE filed against one of their packages. I found the whole ordeal rather stressful.
2. The process is somewhat confusing with all the linked bugs.
3. When there's a link to RHEL for details it's useless unless you have a RHEL account, so then I have to go find it somewhere else, I typically go to cvedetails.com
4. I'm not a C/C++ programmer and certainly not a security expert. If I can find a link to a fix for another distro, such as debian, I'll apply it but more often than not there's nothing there when I look. I'll even file an issue upstream but most of the time it's ignored.
5. A of times it's for an EPEL package that's much older than the current release so the fix for Fedora can't be easily applied to EPEL.
Then months go by, maybe some progress has been made but to find out I have to manually go re-follow the bread crumbs because I've slept 30 times since then.
So with all of that it seems the easiest thing to do is, well... nothing. I don't know if it's OK to close the bugs as WONTFIX or CANTFIX (seems there's might be an option for low security bugs) or what else I can do while I have a $DAYJOB and 120+ packages to maintain.