If you discover a vulnerability in OpenSSL, are you required to track down and separately notify every downstream packager of OpenSSL?

Or do you rely on the OpenSSL project to work their established process?

Is that a rule? Are there rules?

These researchers found a vulnerability in the Linux kernel. They could have just written a blog post and put it online, or not told anybody, or sold it. But instead they decided to tell the Linux kernel devs, and give them time to act before publishing.

And your beef is that you’ve decided they needed to also inform individual downstream projects that use the Linux kernel? Why? Which ones?