Not really. The managerial process for fixing a vulnerability or mitigating supply chain attacks in an open source project is functionally different than for a proprietary product. So much so that it’s often the subject of memes (and frustration) in the FOSS community when people don’t understand the difference.

Stuff like this:

https://daniel.haxx.se/blog/2020/12/17/curl-supports-nasa/

Or this: https://daniel.haxx.se/blog/2022/01/24/logj4-security-inquir...

… is exactly why you can’t treat them the same in these types of situations.