[dagw]

When I worked at a large, but not F500, company I had to once every 6-12 month or so fill in a spreadsheet with all third-party dependencies, with their licenses and some other info, the project I was working on used. I then emailed this to a mystery person and never heard anything back ever. I can easily see someone pulling out these spreadsheets and just emailing away without any developer, rookie or otherwise, being aware of what was happening.

[tgv]

Yeah, but that's still a dumb thing to do. They're basically delegating their IT infrastructure's security status to some low-level help in the legal department. What could possibly go wrong?

[softwarebeware]

Your story is all too common. Have you ever seen that old TV show Lost? I think these kinds of stories are the reason why pointlessly pushing the button in that show was such a popular and memorable trope. Things that people "have to do" but no one knows why, and they just keep doing it over and over...because what if? I feel your pain