[vasuki]

Not that we have public evidence to prove whether it was a nation-state or not, but in my experience as a vulnerability researcher, finding high-impact flaws in popular tools (closed + open source) and government services is much more easier than people realize.

Take a look at the number of vulnerabilities reported to US Department of Defense via Hackerone: https://hackerone.com/deptofdefense/hacktivity?filter=type%3... (and these are just the ones publicly disclosed, a lot of them remain undisclosed, you can change the filter to see how many are reported in last few days/hours)

And taking this single report as example: https://hackerone.com/reports/761790

Reported at: December 19, 2019 4:19pm +0000 Resolved: 1 Month ago

And this is when there is no bounty attached to these, just some Hackerone points which help you gain higher reputation and possibly win some private program invitations. Imagine how many reports a monetary reward would bring in. I would really be surprised to know that adversaries are not already hoarding the flaws, especially when this is their daily business.