> Do they go to some central committe to get approval to add it to the whitelist? What are their criteria? How long will it take them to approve it?

Yes, depends on the org, depends on the org.

Introducing third party dependencies should not be a single person decision.