That&#x27;s because they patch within a couple of days and don&#x27;t want their systems unpatched for long (30 to 60 days!) when there is a known issue out in the wild. The flaws tend to get leaked, the temptation is big because there are huge money incentives.I bet if the embargo were for 5 days they would reconsider. But good luck with that with members like Microsoft, Cisco, Oracle, which a terrible reputation of postponing things the maximum possible.

That is true. OpenBSD&#x2F;Theo refuses to take part in embargos, which means they don&#x27;t get a heads up. Don&#x27;t have a citation right now, but Theo said that publicly when Hardbleed or so happened.

In which case and assuming that is accurate then&gt; Why? Well, they just don&#x27;t. That&#x27;s the whole story.Could have been&gt; Why? Well, we&#x27;d have liked to but they don&#x27;t embargo reported bugs and we do.Clearer for everyone.Assuming it&#x27;s true.

Well, according to (also unsourced, so no clue what the &quot;real&quot; story is) comments on the sister submisson [1] it is because LibreSSL doesn&#x27;t want to take part in the embargo on reported vulnerabilities.[1] <a href="https://news.ycombinator.com/item?id=9216815" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=9216815</a>

(Replying to PARENT post)

(Replying to PARENT post)

(Replying to PARENT post)

(Replying to PARENT post)