I believe it has always been OpenBSD's position that all bugs are security holes until proven otherwise. It's no fun seeing proof.
Running newer versions is no panacea. New features are fertile ground for un-reported and un-analyzed bugs, readily discovered by inspection. It may be that critically-exposed software should be released in a form in which new features can be ifdef'd out until after they have been vetted thoroughly.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds