Heartbleed was really not the final straw. Their Malloc replacement layer was the final straw for us. It never frees memory. (tools can't spot bugs) It uses LIFO recycling (use after 'free'? no problem) Includes a Debugging malloc that sends private info to logs, always there. Includes the ability to replace the malloc/free at runtime (eek!) In a nutshell, This was a very effective exploit mitigation technique countermeasure. It could not have been designed better to make an attack like heartbleed both hard to detect, and have dire consequences. OpenBSD's memory allocator, Valgrind and Coverity do not notice the memory issues.