Exactly! Everyone can get to the source, the whole point of OSS is that the companies themselves can (and should, from a risk-analysis point) be reviewing all the code too before implementation...it's along the lines "you get what you pay for" yet at least here everyone is given the chance to see exactly what's being run (as opposed to pre-compiled apps). IMHO, this really isn't an OpenSSL issue as much as a failing of due diligence by all the companies using it. The admin's excuse of "well, we don't actually know what the code says" fails here, and anyone over the past two years could have reviewed it themselves and fixed this! Maybe this will spur corps to actually review code of critical infrastructure when it's avalible as part of corp policy from now on, perhaps the insurance companies who do "Errors and Omissions" policies will start forcing corps to do that; kinda surprised that this isn't already a standard policy, as code review of OSS is one of it's main strengths and if your company doesn't do it then their missing out on one of the biggest assets of using OSS.