Aren't they already doing this? I thought all distributions made fixes, and contributed them to upstream. IIRC, "fixing" a bug was exactly how the SSH weak keys problem got into debian (with some sort of breakdown in the "contributed upstream" part)