Comment by kevincloudsec

The compliance form thing is wild but predictable. I'm on the other side of that equation now. Companies will pay me to handle their compliance mapping but balk at paying an open source maintainer to fill out a security questionnaire for software they depend on in production. The disconnect is that compliance teams budget for vendors but have no line item for 'critical open source dependency we treat like a vendor but isn't one.