Bloomberg is reporting that the NSA knew about and exploited the heartbleed bug for years. The NSA is, of course, denying that but if you’ve been keeping score it’s pretty easy to figure out who to believe.
If it’s true that the NSA knew about the bug and kept the information private so that they could use it, it’s a nice illustration of something that Bruce Schneier has said repeatedly. The NSA is making us less safe not more safe. It’s virtually impossible to know if a site has been exploited by heartbleed so it’s entirely possible, or even likely, that criminals or foreign state actors have been exploiting the bug. The NSA’s primary mission is protection of the country’s communications. If they failed to act to close a devastating hole in a widely used SSL implementation then they’re obviously failing in that mission. Failing on purpose.