[verytrivial]

For everyone boggling at the tone of the email, stop for a moment and have a guess at how many different sources of software they think the average large corp has on their books let alone on their infra. It can literally be hundreds or thousands of different sources. And each of those will have their own topology.

This is clearly a scatter-gun survey because they're realised they really have no idea of their exposure. (And before you re-boggle at that, there's a whole business ecosystem in just being able to answer that question let alone do anything about security issues.)

[blihp]

Also, for any FOSS author who gets one or more of these inquiries don't laugh it off or write blog posts mocking the sender. Take it as the business opportunity it is and send a professional response indicating your willingness to help them navigate through this, at least as it relates to your bit of code, for customers with paid support plans. You want money, they have money and you can trivially provide them something at least some of them are willing to pay up for with a potential opportunity for a non-trivial longer term relationship.

This is the best kind of sales call: they are coming to you.

[devadvance]

Generally this is an accurate take. I'd add two things:

> ...because they're realised they really have no idea of their exposure.

This is partially because it is often non-engineers being asked to figure this out. The "information security analysts" at F500s are asked to do a lot of unfair work, such as analyze risks related to decades-old software they didn't build.

> ...there's a whole business ecosystem in just being able to answer that question let alone do anything about security issues.

The first part (answering "what dependencies does my software have") isn't inherently bad. I'd emphasize the underinvestment in the second part more.

[zerkten]

>> The "information security analysts" at F500s are asked to do a lot of unfair work, such as analyze risks related to decades-old software they didn't build.

I think that's putting it mildly. When it comes to responding, they'll look around and find that they only have a small number of full-time employees with the skills to partake in a response. Most of the IT organization will be dependent on vendors who struggle during the best times while their leadership has the ear of the CIO because IT is only viewed as cost.

The full-time employees will frequently be the real heroes, but when the incident passes this won't be recognized. Things will repeat themselves with the next major vulnerability discovered, but the organization may find that they have even fewer employees at that point to lead a response.

[hotpotamus]

Software eats the world just like a black hole.