The scenarios can get as complicated as a spy novel by John le Carre. An enterprising hacker could decide to do a double dip on a sale -- sell to the government, then turn around and sell to the vendor affected by the vulnerability.
An adversary could also exploit a vulnerability sale by earmarking it. Then, if the nation that bought the vulnerability used it, its origin could be easily identified.
There's an irony in the notion that the federal government may be hiding vulnerabilities from vendors, said Richard Stiennon, chief research analyst at IT-Harvest.
"When the government started US-CERT, its purpose was to disseminate knowledge of new vulnerabilities," Stiennon said in an interview. "Now the government is in a position of purchasing vulnerabilities and then not disseminating them or disclosing them to the vendors."
Sign up for CIO Asia eNewsletters.