That's because they patch within a couple of days and don't want their systems unpatched for long (30 to 60 days!) when there is a known issue out in the wild. The flaws tend to get leaked, the temptation is big because there are huge money incentives.

I bet if the embargo were for 5 days they would reconsider. But good luck with that with members like Microsoft, Cisco, Oracle, which a terrible reputation of postponing things the maximum possible.

> I bet if the embargo were for 5 days they would reconsider.

Here's a page describing the list in question:

http://oss-security.openwall.org/wiki/mailing-lists/distros

Here's the embargo policy:

> Please note that the maximum acceptable embargo period for issues disclosed to these lists is 14 to 19 days .... In fact, embargo periods shorter than 7 days are preferable.

19 days is an eternity for a security-oriented OS aimed at critical infrastructure like firewalls and proxies.

19 days is nothing compared to how long it has taken non-linux firewall and proxy vendors to patch things in the past.

Makes you wonder why people buy those products.

And a lot of those vendors just never do. And a lot of users never update anyway. There's no reason to keep my enterprise servers insecure because Johnny Linksys doesn't have a patch that he's never going to install anyway.

It's not "in the wild."

OpenBSD is making the gamble that either a) they can pressure the adults doing coordinated disclosure to stop doing that via their excellent people skills, or b) that they are so awesome that they can find the problems before everyone else.

NB: I love OpenBSD from a security POV, but that doesn't mean what the leaders of the project do is always correct for security.

We mostly don't know if it is already "in the wild" or not, if it will be found independently during the embargo period, if it will leak out of one of the organizations "in the know", ...

Didn't people find traces of hearthbleed attacks that happened months before it was published?

There are good arguments for very short embargo periods, especially if you mostly care about the security of your users. (of course, in a perfect world every vendor would be willing/able to release patches after 24 h or so, and it wouldn't matter, but we don't have one of those...)

It's hardly just OpenBSD. Read Al Viro's comment to http://lwn.net/Articles/601958/ He notes that Linus left the list due to the same policy.

So what about having the dinosaurs sort out and coordinate release dates initially, then giving a few days heads up to LibreSSL (and others).

At least it would minimize the risk of zero-daying LibreSSL users.

... but I guess, this isn't where the problem is?

That is true. OpenBSD/Theo refuses to take part in embargos, which means they don't get a heads up. Don't have a citation right now, but Theo said that publicly when Hardbleed or so happened.

Not true.

In which case and assuming that is accurate then

> Why? Well, they just don't. That's the whole story.

Could have been

> Why? Well, we'd have liked to but they don't embargo reported bugs and we do.

Clearer for everyone.

Assuming it's true.

Wouldn't that be "they embargo reported bugs and we don't"? (Or at least, I suspect LibreSSL wants to keep to its own embargo schedule.)