It's a good response that highlights the approach nicely, but he'd fail if there was a legal challenge because he's only given them a week to respond. I suspect a court would consider that unreasonable, whereas a few months would probably be acceptable if there was also proof of adequate attempts to contact everyone. I don't know how long the OpenSSL team have given people to respond, or what attempts have been made, but I'm guessing longer than that. Rewriting stuff is a safer option, of course, if your code isn't in there then you can't complain about the licence.