The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.
While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.
In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified. The agency found Heartbleed shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit or stealing account passwords and other common tasks.
...By not alerting anyone to the bug, the NSA could have left the door open for other intelligence agencies across the world to exploit Heartbleed, provided they found the bug. This revelation also seems to contradict one of the NSA's core missions, which is protecting and defending American cybersecurity.
"Given the scale of Heartbleed, deciding to exploit this vulnerability rather than fix it, makes a mockery of any claims that the NSA defends the networks of the U.S.A.," an employee on the security team of a major Internet company, who asked not to be named, told Mashable...
"Utterly, indefensibly shameful," tweeted Kevin Bankston, the New America Foundation Policy Director. "Way to be evil, guys."
Matthew Prince, the CEO of security firm Cloudflare, tweeted that it's "hard as a tech company today to not feel like we're at war with our own government."