Or they just didn't know. Seriously, if you divide the world into the NDA and the non-NSA, then why would the former be much better than the latter at finding vulnerabilities in open source software?
For the money they get, and the supposed "Cyber Command" mission, they should have a team of great auditors, and advanced tools, that's much larger and more competent than the volunteer OpenSSL team itself. This group should go over all similar code multiple times with a magnifying glass.
Otherwise, what's the point of the NSA & Cyber Command, on its own stated terms?
