Do you want to stop "supply chain compromises" as a company? Here's a very simple way to do so: pay a stipend to a maintainer of something you depend on.
You don't really need dependency tracking tools. You don't need to exactly parcel out the 'right' proportionate amount of money to every maintainer. All of that operational complexity is unnecessary.
It doesn't even matter *which* maintainer you pick, as long as it's one who isn't receiving a stipend yet, and you pay them enough to constitute a salary.
It will cost you exactly one developer salary. If every able company does this, the problem of supply chain compromises is solved tomorrow.
All you need to do is simply *do it*, and talk about it so that other companies will too.
To expand on this: you don't need to manage them. You don't need to track their progress. You don't need a special team for them, or a 'head of open-source'.
You pay them a salary in the same way that you would pay a salary to eg. someone who you don't really have any work for, but don't want to see leaving for a competitor either: you add them to payroll and just let them do their thing.
They're already a maintainer so they know how to manage the project. There are no further expenses or organizational overhead for you.
