OSS authors:“We need to understand your mitigation plans for this vulnerability”

I have read a good theory for this elsewhere: the company has a spreadsheet of &quot;partners&quot; somewhere that legal and accounting demands gets updated. It starts as companies which you pay but then someone insists developers add all the open source copyright owners.<p>Now someone took this spreadsheet with zero understanding of what curl&#x2F;&quot;Haxx Team&quot; is and just emailed them a template.<p>Not giving excuses, clearly they are incompetent. But it is not some demand of service from freeloaders.

I keep getting questionaires like this, usually from paying customers though. I never answer them because my licenses are way too cheap to bother with shit like this. And yet the companies keep using my software, despite the fact that I didn&#x27;t answer their stupid vendor asessment forms.<p>At this point I wonder what these forms are good for? Why send them to vendors and waste people&#x27;s time if you don&#x27;t care about the answer anyway?

Should’ve named the company and not redacted the doc.