I'll defend the researchers for trying to do a managed notification. But I wonder, did they try to reach out to the major OS vendors to see if they could get them any advance warning? Or ask OpenSSL if OpenSSL knew how to get in touch with people on the down-low?

The problem with distributions is that you, in most cases, don't know who is on the other end of the security@xxx.tld email address.

Being google engineers, they should have direct contacts with Cloudflare and some other high-profile targets.

Obviously they don't just send the exploit directly in mail to a mailing list. Email, ask to talk to someone over the phone, explain the situation to that person, ask for references on prior releases being well-handled.

I want to avoid Monday morning quarterbacking, though. In hindsight the right course of action is always obvious.

If that were the case, AWS would've been on the list.

ITYM "target", and not even "biggest", really. They didn't responsibly disclose to any distributions.

Wouldn't it have made most sense to e-mail the OpenSSL team so they could have pushed a critical patch that everyone would have updated to via APT before shit went off of the hook?

They did, the problem is that the patch immediately shows you the security issue - and distributing a patch means then to disclose the bug.

I'm not 100% on the timeline but I'm pretty sure the OpenSSL team knew about this well before April 7th.