alt Hacker News> I'm not sure why someone who is spending their limited free time building software to give away for free would want Amazon as a downstream consumer
Are you kidding? This is the dream scenario for many open source projects: Getting adopted by a major company is a claim to fame like none other.
> Do you enjoy spending your nights and weekends dealing with CVE reports, while a high-6-figure BigTech engineer nags you that they need it fixed?
Then don’t? You don’t have to do anything. It’s fine to ignore it you want.
Practically speaking, Amazon engineers aren’t going to sit around and hope the maintainer fixes the thing that unblocks them. If they actually need it, they’ll fix it. They might fork it. They might try to recruit the person.
But nothing obligates you to do anything. This hand-wringing about the idea that someone might find the project useful enough to identify issues and report them is rather ridiculous. Just ignore it if that’s prerogative.
Having been upstream of this problem (I was engineer at Amazon for ~5 years), they will typically not do any of those things.
The amount of paperwork they have to jump through just to send you a patch makes it not worthwhile. They might fork in extremis, but to do that they first have to justify to management that it's worth ongoing effort to support. Hiring a maintainer really only happens for truly foundational projects like the Xen hypervisor.
What they will do is use the public nature of the CVE process to pressure you to patch with the SLA - and that's generally pretty effective. Only a few open source groups (for example, the npm team) have enough public clout to reject CVEs without reputation damage.