How do you handle open source in the supply chain?

[LawrenceHecht]

Are we specifically talking about components and dependencies?

I don't think this question should go too deep into software options. Thoughts?

Also, we can include something about compliance initiatives like suggested by @Toniprni in another issue.

[caniszczyk]

taken care of https://github.com/todogroup/survey/pull/32