[millettjon]

Given that software is composed of a hierarchy of dependencies, I would like to see a funding approach that works at the dependency tree level to support an entire tree or sub tree. There is a huge freeloader problem where business don't contribute any support for their core dependencies. I wonder if there is a role for an organization that could act as the interface for corporate support at the dependency tree level. It could offload maintainers (or fund them) to handle certain compliance requirements and provide an official sanctioned entity for purposes of corporate policies. There should be a way to garner support broadly for risk management and specifically for security in the corporate context.