And can we have bounties for fixing know CVEs in that abandoned code?

Abandoned Code home should only allow security changes and if someone wants to revive the project, bump the major version and get out of abandoned code home. That is to prevent abuse by introducing new CVEs into software.

While the abandoned code home hosts that piece of software for as long as some corporation wants to keep it alive with low investment.

Found CVE in abandoned code and fixed yourself? Good for you, still eligible for bounty.