To clarify and for the record: Being on the distros list is not mandatory to receive advance notification of security issues. The list is just a tool. People reporting security issues to the distros list are encouraged to also "notify upstream projects/developers of the affected software, other affected distro vendors, and/or affected Open Source projects".
OpenBSD having declined to use the tool shouldn't be interpreted e.g. by OpenSSL as a reason not to notify LibreSSL directly. I don't know if such reasons exist or not, but OpenBSD not being on distros is not it. I do think OpenBSD would benefit from using the tool, increasing the percentage of issues you do receive advance notification for, if you'd like that. However, tools and ethics are separate things. Alexander
