It is the upstream vendor that issues fixes. What RedHat does is that it takes the commits that fix the bug and merge them into their forks and release.
So if you have a bug in a RedHat package, and you're paying $100k a year RedHat support contract, all they really do is open a GH issue with the upstream to ask them to fix it? And then you just wait hoping they fix it so RedHat can cherry pick it?
We don't know. I'm going to tell you a short story, though.
Rumor has it that KMS[1] was developed entirely because a deep-pocketed RH customer was annoyed that their workstations showed a fraction of a second of the boot/init log, and wanted a more seamlessly-graphical boot.
This feature was not universally welcomed by the kernel community. It excluded BSD cousins and frustrated nVidia and AMD/ATI. I remember standing next to the DRM/KMS maintainer while Linus yelled at us.
RH absolutely will interact with upstream on behalf of their customers. They don't just "open a GH issue"; they present designs, code, rationale, and evidence to upstream. I wonder whether this is something that Oracle does, but it doesn't sound like it.
Backporting fixes (and fixes ONLY, not new features, and new bugs, with new incompatabilities) onto an older version of software that comes in RHEL is not trivial.
So if you have a bug in a RedHat package, and you're paying $100k a year RedHat support contract, all they really do is open a GH issue with the upstream to ask them to fix it? And then you just wait hoping they fix it so RedHat can cherry pick it?