[csandreasen]

There haven't been any actual concrete disclosures showing that DUAL EC DRBG was backdoored, just loads of conjecture. Maybe it was, maybe it wasn't - the same conjectures were put forth regarding the manipulated S-boxes in DES and it turned out twenty years later that the NSA was actually strengthening the algorithm, not weakening it. If DUAL EC was backdoored, it was a pretty pathetic attempt: it was hardly ever used (only 720 confirmed vulnerable servers out of a survey of 21.8 million[1]) and due to its slow speed there were recommendations not to use it long before Snowden came along. One year later and nothing in the Snowden cache has been leaked providing concrete proof showing a backdoor; I'm not holding my breath for it.

Regarding Heartbleed, the NSA denied having knowledge of the bug before its disclosure. There was a follow up post on the Whitehouse blog[2] that discussed some of the criteria the administration would use in determining whether or not the NSA should disclose a 0-day.

It sounds like you're wanting them to actively search for vulnerabilities in software they didn't write and might not even be used by their targets (the Chinese government could have taken advantage of Heartbleed, but I don't know how many Chinese government sites use OpenSSL). That's not what we currently fund them to do, and I get the impression that most American tech companies wouldn't want the NSA's help anyways.

[1] http://dualec.org/

[2] http://www.whitehouse.gov/blog/2014/04/28/heartbleed-underst...