Over the last 10 years, OpenSSL has published advisories on over 100 vulnerabilities. Many more were likely silently fixed in the early days, but in the past year our goal has been to establish a clear public record. In September 2014, the team adopted a security policy that defines how we handle vulnerability reports. One year later, I
Our policy divides vulnerabilities into three categories, and defines actions for each category: we use the severity ranking to balance the need to get the fix out fast with the burden release upgrades put on our consumers.

The link for this article located at OpenSSL Team is no longer available.