If a business sets itself up to depend upon a free open-source project, that business is responsible for understanding what the dependency really means to the business.
In this case, that means understanding who maintains the project, how to go about receiving help, perhaps looking at a history of how other requests were handled, and ultimately knowing what the options are (e.g. does the business have the means to maintain internal experts for all software dependencies, or even an internal fork for emergency patching, etc.?).
Otherwise, a business that “needs something” can wait in line.
In this case, that means understanding who maintains the project, how to go about receiving help, perhaps looking at a history of how other requests were handled, and ultimately knowing what the options are (e.g. does the business have the means to maintain internal experts for all software dependencies, or even an internal fork for emergency patching, etc.?).
Otherwise, a business that “needs something” can wait in line.