[dogma1138]

Microsoft releases security advisories to many large costumers especially in regulated sectors a head of time not just to governments.

Large banks for example will get information about new "zero-day" vulnerabilities from their TAM some times months before a patch is released so they could adjust accordingly.

The NSA doesn't get an exploit they are notified about the vulnerability in good faith, in some cases Microsoft and their partners will release a signature which can enabled host or network bases intrusion detection/prevention systems to mitigate the vulnerability until it's patched.

There are other initiatives by various security vendors the most prominent would be ZDI by TippingPoint (now HP) which actually buy exploits so they could make signatures for their IPS, they notify their partners but in many cases withhold the vulnerability information for upto 6 months from the vendor of the vulnerable product.