While many things have not changed since this paper was published in 2002, the landscape around #CVE and open source software has, in my opinion.
This paper mainly contemplates official patches and bulletins from commercial vendors, or at least a CVE that was reviewed by a panel of editors. It rightly calls out that the quality of fixes varies widely.
However, today a CVE in a FOSS package may mean little to nothing in context of a production product or system.
#FOSS
@smb @adamshostack