Like most members of the BUGTRAQ mailing list (which rarely sees OpenBSD security reports these days :-), we believe in full disclosure of security problems. We have found that the coding of proper fixes to security problems typically only requires about 4-5 minutes of coding. Thus we typically have fixes available extremely quickly.
Our security auditing team typically has between six and twelve members, and most of us continually search for and fix security holes. We have been auditing for approximately two years. The process we followed to increase security was simply a comprehensive file-by-file analysis of every critical software component. Flaws were found in just about every area of the system. Entire new classes of security problems were found while we were doing the audit, and in many cases source code which had been audited earlier had to be re-audited with these new flaws in mind.
The process is not over yet, and as you can see we continue to find and fix new security flaws.
If you find a new security problem, you can mail it to
deraadt@openbsd.org.
If you wish to PGP encode it (but please only do so if privacy is very
urgent, since it is inconvenient) use this pgp key.