There are many other such instances in which the lead dev immediately responds to bug reports with 'works on my machine' without even asking for details to reproduce the bug. Any further words from the bug reporter are met with sarcasm or words worse than I would term "a bit heated".
How much, exactly, are any of these people reporting bugs paying for this software?
You use open source software that is made by one guy and offered to the world for free, you kind of have to deal with the possibility that that guy has better things to do than fuss over every bug report.
I have no way of knowing how much these people paid, if anything, to the dev's Patreon or Liberapay or Donate to PayPal. What they did do was spend their time reporting serious issues for zero payment. Bugs are important to fix, some bugs can be critically important to fix. If the dev chooses to fix these bugs, it is the dev that will receive all credit for doing so. The person who made the effort (albeit minor in comparison) of reporting the issue will not be credited or acknowledged in any way.
Also, I think a vulnerability that allows unprivileged users to gain root on a system on which Calibre is installed is worth fussing over.
Here's Kovid responding to reports of security vulnerabilities: https://bugs.launchpad.net/calibre/+bug/885027