The government has an established protocol to determine when to disclose a vulnerability to the public, and while it is in the national interest to do so, there are times that disclosure would result in forgoing "an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or even discover more dangerous vulnerabilities,” according to a White House blog post by Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator.
Responding to concerns that the NSA knew of the Heartbleed bug long before it was revealed, and could have exploited it, Daniel wrote that “a disciplined, rigorous and high-level” interagency decision-making process is used to gauge whether a vulnerability affects core internet infrastructure, to determine the risk it imposes and gauge whether the intelligence is valuable enough to justify exploiting it.
