What if they have a unique definition of 'vulnerability', much like they had a unique definition of 'collect'?
As a bit of internal jargon, the NSA only considered information 'collected' when an analyst looked at it. So, they could record & store bulk data about all Americans, but still claim (with a secret wink) that they didn't intentionally "collect" data on Americans.
Maybe for them, 'vulnerability' means both "the bug exists" and "bad guys know enough to exploit it". After all, if a tree falls in the woods, and there's no one there to hear it, does it make a sound?
This definition even makes sense, if you have an advanced, economic and strategic understanding of security as something that's a matter of relative priorities and dynamically-changing situations. There are plenty of bugs, known and unknown, in all software. Perhaps they only count as 'vulnerabilities' when they're practically exploitable, and practical exploitation has as an absolute prerequisite, discovery by malicious actors. (On the other hand, when we, "the good guys", discover the bug, it's not a vulnerability: it's an asset! Search for [NOBUS NSA] for more reporting about this style of reasoning.)
Still, using such a fine-grained bit of internal jargon, even if it makes sense among people who share your terms, is deceptive if used to hoodwink the public and Congress, exactly as the 'collect' finesse definition was long used.
NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report
Or perhaps the "private sector cybersecurity report" was a IRC chat two years ago for l33t haxors.
They went on to: "Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong." so there's no weasel-wording going on here.
Perhaps they're using the etymological root of aware, which is "wary", and they mean they were unconcerned with its existence as they were unwary/unaware of any possible dangers with it since it was unknown to hostile forces.
The NSA doesn't need to redefine "Vulnerability" or use any other jargon. When it comes to issues the government considers related to national security, they don't bother to hide behind convoluted language or misleading information, the NSA has already demonstrated it's willing to flat out lie to the public regarding such matters.
Or they just didn't know. Seriously, if you divide the world into the NDA and the non-NSA, then why would the former be much better than the latter at finding vulnerabilities in open source software?
For the money they get, and the supposed "Cyber Command" mission, they should have a team of great auditors, and advanced tools, that's much larger and more competent than the volunteer OpenSSL team itself. This group should go over all similar code multiple times with a magnifying glass.
Otherwise, what's the point of the NSA & Cyber Command, on its own stated terms?
As a bit of internal jargon, the NSA only considered information 'collected' when an analyst looked at it. So, they could record & store bulk data about all Americans, but still claim (with a secret wink) that they didn't intentionally "collect" data on Americans.
Maybe for them, 'vulnerability' means both "the bug exists" and "bad guys know enough to exploit it". After all, if a tree falls in the woods, and there's no one there to hear it, does it make a sound?
This definition even makes sense, if you have an advanced, economic and strategic understanding of security as something that's a matter of relative priorities and dynamically-changing situations. There are plenty of bugs, known and unknown, in all software. Perhaps they only count as 'vulnerabilities' when they're practically exploitable, and practical exploitation has as an absolute prerequisite, discovery by malicious actors. (On the other hand, when we, "the good guys", discover the bug, it's not a vulnerability: it's an asset! Search for [NOBUS NSA] for more reporting about this style of reasoning.)
Still, using such a fine-grained bit of internal jargon, even if it makes sense among people who share your terms, is deceptive if used to hoodwink the public and Congress, exactly as the 'collect' finesse definition was long used.