So the 1.0.2zg release is only for those paying $50,000 for the enterprise contract? That's understandable, but guess the people paying for lower tiers won't be very happy with that.
Yes. If you're using your distro's version of openssl, then your distro is supporting it for you. What openssl.org upstream claims is supported or not doesn't matter to you.
I've had fun in the past with external auditors¹ who don't really understand what their automated tools are telling them. If the tool reports a version that is no longer supported upstream we have trouble convincing them that it is fine as what we have is a well tested version² with all the security fixes they might be concerned about back-ported³ into it.
----
[1] we provide SASS services to companies regulated industries, like investment banks, they have a high level of monitoring required which includes auditing the security of suppliers like us
[2] possibly more so than the latest upstream version
[3] or even not needed at all because the bug was introduced in a feature that wasn't back-ported
To be fair, this is clearly stated on their page.
https://www.openssl.org/support/contracts.html