[danShumway]

That's Cray/HPE's problem then. And if they can't fund bugfixes, maybe they shouldn't be in the business providing support for operations that handle nuclear weapons. And if their client can't allocate funds to keep the software they use secure, maybe they also shouldn't be working with nuclear weapons.

We keep coming up with excuses for why companies can't give Open Source projects money, and they all seem to boil down to: "companies are systemically unable to make secure/stable products, can't adapt to emergencies or pay for fixes even when it's the obviously most efficient way to get the fixes in, and because of that these companies shouldn't be in charge of anything dangerous or important."

Which is maybe not the conclusion those companies would want us to draw, but it seems to be what they're suggesting whenever they hide behind crippling bureaucracy like that somehow makes the situation better instead of worse. It's really irresponsible for Cray/HPE to take on a paid contract like this if they can't handle the job requirements.