This argument has always bugged me. Even if the mailing list was openssl-private-security-announce-embargoed (which it isn't), shouldn't openssl still attempt to identify and notify the large downstream consumers of openssl even if they're not on the list?
This mailing list conversation sounds like a cartoon bureaucrat saying "Well, I'd LOVE to help you, but you didn't tick checkbox 16-A on your X-23 form last week."
The distros list works on the principle that, at least in part, it's about people who are participating in the security-fix process. Of course some of the benefit is you get to stage your fixes early, but you also agree to be another set of eyes on the patch, run your local build and regression tests, etc. If someone brings an issue to the distros list without a patch, the patch needs to get written by someone. And so forth.
My employer repackages Ubuntu into a virtual appliance, but since we're firmly downstream and haven't yet had the time to get deeply involved in upstream security work, we're not allowed on the distros list. (We haven't asked, but the policy is pretty clear.) I think that's pretty fair, even if I personally dislike that end result.
See for instance, the disastrous handling around Shellshock, where no details were given on the distros list, the announcement went public, and it took a few days (in public) for people, mostly people on distros@, to realize that the patch was incomplete and two more patches were needed. It's not clear the distros list worked any better than a public announcement would have.
The other argument is that embargoes always get harder to enforce as you add more people to them. The distros list is the successor of the old vendor-sec list, which was more lenient about membership and always had suspicions of leaks (until someone broke into the mail server....). See, for instance, the messy handling of Heartbleed's embargo:
I think that if there's going to be a private disclosure process at all, it's better that it's bureaucratic instead of friends telling their friends at CloudFlare and Akamai, under the table, that they should patch.
I have always hated embargoes for things like that because they end up benefitting the worst companies - the big ones - over the people who actually need the help.
This mailing list conversation sounds like a cartoon bureaucrat saying "Well, I'd LOVE to help you, but you didn't tick checkbox 16-A on your X-23 form last week."