[acqq]

And they could have found the security bugs and report them to OpenSSL even after they forked. If they actually did some serious security investigations of the code they took and kept in their fork, it should be natural to discover such issues and not just wait for others to find them in OpenSSL.

Does anybody know of any such report?

[vog]

While I generally agree that this should be done, I'd also like to point out that many (most?) security fixes in LibreSSL are really "side effects" from trowing away lots of code, or cleaning it up.

[acqq]

That's my impression too, that they threw away a lot and replaced a few functions with the "good-practice in OpenSSL" ones, but otherwise haven't changed too much, so the code base can be easier to maintain but is not necessary "the" solution some believe it is.