Re: Shirley!
[Any] of the users *could* have maintained it, but only 2 were.
To be fair, during the Bad Old Days, the OpenSSL project was not taking patches from developers in the US and some other countries, due to legal concerns.
Also, some users - typically participants on the openssl-dev and openssl-users lists - did provide feedback and suggestions, sometimes including example code that looked a lot like a patch if someone wanted to incorporate it.
And it's not true there were only two contributors even then. The heartbeat implementation that led to Heartbleed was an outside contribution from Seggelmann, for example.
What's more important with OpenSSL is that any of its many, many large corporate users could have contributed funding, but very few did. Nor did many individuals.