[drdaeman]

In a same manner CloudFlare had it before the disclosure, OpenSSL team should've contacted major GNU distro (Debian, Fedora, Arch) packagers privately and do the announcement as new releases hit the repos (i.e. not having a 4-8 hour window, given the bug's pretty much critical).

[001spartan]

I was under the impression that they did in fact contact package maintainers in addition to companies like CloudFlare.

[rincebrain]

Nope; package maintainers said they didn't get notified, and OpenSSL explicitly has no notification mechanism for such things. CF found out because the private entities which found the bug warned them a priori with a request to not disclose it to anyone else. See also: https://news.ycombinator.com/item?id=7549986