Gregory's Server
> any open-source lib anywhere in the wild must be up to professional quality standards and respond to all bug reports in a timely fashion
I think the proper standard should be to request that on vendors selling production software. « all libs you depend on must be up to o professional standards of security ». If upstream can't meet that, for the reasons you described, then it's downstream responsibility to either fork or vendor to meet that criteria.