(no title)

In this particular instance, the actual problem is notification. OP said he fixed the bug in his original code, and one of his downstreams should fix the bug too.

Fair enough.

But then things took a turn towards "you should do the work", "civic duty", and what not. To which OP replied he's not going to fix it in a code base he's not compensated for.

The actual problem in this scenario here isn't OP's willingness to donate his time, it's that the right person at the downstream needs to be notified (and in turn acknowledge the problem). And in the world of open source, this is a common issue which is impacted by multiple notification avenues, developer continuity, and general infosec policy.

But instead of any one of us creating an issue saying "Hey dudes, this was fixed in the upstream -- here's a copy-and-paste pointing to the fixed and respective vulnerable code", it's a pile-on with holier-than-thou mantras regarding why OP should do the free work of reading the source code, testing a fix, and creating a patch.