[gech]

> however there is certainly an argument that their other responsibilities outweigh any responsibility that they might have to act as a free security investigation team and report a security vulnerability to an outside corporation.

Yeah, a shitty one. Free? No they're funded by tax payer dollars. I do think we need to argue about priority of responsibilities. Was this exploit used to spy on allies?

[fencepost]

> Was this exploit used to spy on allies?

Don't know, and unlikely to ever find out. If so, it was likely very targeted to avoid detection on modern systems. Was it ever used to spy on Iran's nuclear enrichment program?

> I do think we need to argue about priority of responsibilities.

Ok. What responsibilities does a US government agency have to disclose vulnerabilities? Should they be required to disclose all vulnerabilities found in software and equipment from US companies? Since a lot of that technology is used around the world, are you on with the corollary of it being harder for the US to spy on anyone using modern equipment?

How about disclosing problems found in tech products used by US companies? Should the NSA do that as well to keep those companies safe?

The US provides a fair amount of funding to organizations focused on finding and responsibly disclosing security problems, notably CERT[1] and US-CERT [2]. The NSA is a completely separate thing.

1: http://cert.org/about/ 2: https://www.us-cert.gov/

Edit: removed snark