Meanwhile, at OpenSSL: It appears to be the perfect storm: Developers only interested in adding features, not fixing/maintaining - The OpenSSL foundation appears to be a million dollar a year for-profit company doing FIPS consulting gigs. (Incorporated in Maryland) Fixes sent are not merged by the upstream Bugs rot for years in the bug tracker - in fact someone beat us to discovering the problems with the memory allocator by FOUR YEARS. Horrible code actively discourages outside involvement - the barrier to entry for other developers is too high. Everyone looks at it, and goes back to doing their own stuff, hoping like heck that the upstream maintainers know what they are doing and care.