Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosded to the community responsible for OpenSSL.

On one hand, I’m generally not inclined to believe the NSA nor would I be surprised if they left an exploit like this out in the wild for the sake of intel. However, if they’re not lying about the fact that many government websites use it, in that case, I would actually be surprised if they left it out there. I’m not sure what to believe now.