It's an Open Source project. Every single commit is "Leaving the company" even without a release.
Are you demanding a CVE for any issue that was in a commit once?
You are free to waste your time in your corporate environment and hire people solely for doing the exercise theory of flooding the world with useless CVEs. But the unpaid developer of an OpenSource project doesn't have to play according to your lunatic virtue signaling principles.

If it was ever accepted and wasn't just a pull request, then the answer is obviously yes. That's how you do Open Source, especially if you are the ones assigning CVEs. And being open source doesn't mean that you need to commit everything to the public domain that goes through your head. Nothing stops you from doing some internal testing first to see if things even turn out as you expect, and only if you are sure that you want to continue that work you can release it. That's how literally everyone does it.

I prefer the CIA run Facebook

Oh and I cannot do business with anyone NOT sending weapons ( even white phoshoporous munitions ) and mercenaries to Israel to kill Palestinian children!!

No. NGINX is a FOSS project and is BSD licensed. Anyone can reuse the name of BSD licensed projects so Free NGINX is able to be used. F5 NGINX, however, is trademarked because F5 is a trademarked company which makes F5 NGINX F5's distinct product and different than just NGINX (even if the difference is in name only). If he would have named it Free F5 NGINX or F5 Free NGINX he'd have a problem.

You should probably put a * by this and state, "Any thoughts or insane opinions are for amusement purposes only and do not constitute legal advice."

NGINX Trade Mark: Trademark Status & Document Retrieval (uspto.gov)​

And is Maxim’s dispute related to the russian police raid that jailed the nginx founders over charges that they didn’t actually own nginx? They have since left Russia, but Maxim is still there. This sounds to me like a power play on the part of the Russian authorities to gain control over the IP.

Yeah, the BSD stuff was wrong (somewhat...it's true if they aren't trademarked), but the naming part isn't. F5 NGINX is different than Free NGINX is different than just NGINX. F5/Free/NGINX all have different logos and branding which is enough to distinguish them all as different from each other. It's like SSL/OpenSSL or DOS/MS-DOS/FreeDOS or how AMD is both a company and an eye disease or Ford Trucks and Independent Trucks.

I was going to make a comment about random projects using the Linux name where I saw this part of the Linux trademark sublicense:

​
I checked the Fedora, Red Hat, Debian, Ubuntu, and Arch sites and Arch is the only one following that Linux®​ rule

Both Fedora and RHEL have entire pages dedicated to how to use their Trademarks and nothing from them giving credit to all trademarks they're using.

Even Phoronix, while not having Linux®​ anywhere, at least has the generic catch-all of:

You'd think the million dollar legal teams at IBM would have caught that stuff. I wonder if Linus has noticed and just doesn't want to bite the hand that feeds.

Very funny.

Would you run a Linux distro that was funded by the Chinese Communist Party to be used as an official OS on any computer used by the Chinese goverment?

Would you run a Linux distro created by the North Korean government?

How about a distro created by the Iranian, Iraqi, Turkish, Israeli, Saudi, or pretty much any other government?

Or is it just the U.S. government you do not trust?

While I don't trust any of them, I'd trust the US over anyone else you listed. Via grants, the US supports a lot of open source technologies and multiple distributions.

Red Star and Astra. Best distros ever

Given that the applicable licence is GPL 2, or possibly later, depending on the project, then you have the option of trusting all the distro code you can personally audit or trust someone else to audit for you. Not including firmware with binary blobs, obviously. From that point of view, any distro can be trusted as far as you wish or have resources for, assuming you build from source, or can be assured of reproducible builds from the source.

Binary-only distributions, of Linux, or any other operating system depend on you trusting the organisation that provided the source for compilation, the compiler, and and the linker (and other things - think of "Reflections on Trusting Trust") as well as the firmware of the systems doing the compilation, etc. Microsoft, Alphabet/Google, and Apple are all American companies subject to National Security Letters, as are Intel and AMD.

Would I trust a Linux source-based distribution from any source over a binary-only O/S provided by someone? Not necessarily, as I, individually, don't have the resources to audit an entire distro. However, I would say that a source-based distro of any provenance is potentially more trustable than a binary-only O/S.

If you are not planning on doing anything contrary to the interests of the United States, then you are probably fine to trust Microsoft Windows, MacOs, Android, and US-based binary Linux distributions. Just be aware that US interests can be rather wide-ranging, and things that are legal in your jurisdiction might not be regarded entirely benevolently by the United States.

I would be most inclined to trust a government-issued binary distro from somewhere like a Nordic country, or the top ten countries from lists like this, or this. I don't think any of them offer government-sponsored distributions, though.