Something as core as OpenSSL should be provided by the system and updated by the system maintainers. That's what happens in Windows and OS X land, where the system provides a broad base of functionality that every application can count on (e.g. https://msdn.microsoft.com/en-us/library/windows/desktop/ff8...). Thus third party programs only need to bundle the elements not already provided by the system. When goto fail was discovered in the OS X crypto libraries, Apple simply issued a system update and that was the end of the story.