[kstrauser]

That's a very narrow view, to the point of being flat-out wrong. I was a CISO. Before that, I was a staff platform engineer who wrote the software other people would be evaluating.

I never, not once, pushed an upstream dev to fix a thing. I provided plenty of PRs over the years. If they didn't get merged, we maintained our own locally patched version.

My job was to find a way for us all to do as little as possible to meet our security goals. Those goals were lofty and sometimes that turned out to require quite a bit of work. But we never, ever, made our problem someone else's problem.

You see the CISOs that are a pain in the ass. You don't see the ones quietly going about their business trying to make the world a little safer.