[e12e]

> the LibreSSL team refused the invite to the exclusive OpenSSL security list

As I understand it, they refused to accept embargoes (or guarantee that they wouldn't just go and scream "FIRE!" if one broke out, even before they could put it out) -- or patch ahead of other's etc.

The "responsible" vs "full" disclosure thing. There are arguments on both sides, but from the perspective of being a developer, I can understand the whish to just be able to say: "Oh, shit. Turn off your SSL services now, this and this has been seen in the wild. We're working on a fix" -- rather than let some small number of juicy targets be compromised because someone had an exploit, but hardly anyone knew about it.

At any rate, if one was happy with openssl, one can just stick to openssl. Probably a pretty bad idea, though.