Well, I'm just saying: the preceding comment believed themselves to be a contrarian for thinking it was OK for NSA to have these vulns, and it looked like you were rebutting them. But your rebuttal, if that's what it is, restates a premise NSA shares.
The meaning I took from that comment is that the NSA should always keep any 0-day it finds indefinitely until it uses them. That's what I think "hoard" and "disclose only after they burn" means. It's a mindset of keeping everything you find secret because you might want to use it someday.
My understanding of VEP is that the default is supposed to be to disclose immediately unless an agency has a really good reason not to, presumably because they want to use it soon. Don't hoard, only keep things that you're actually going to use.
For clarity: the word "hoard" to me signals the idea that NSA keeps dozens of duplicative exploit chains around. The public policy rationale for them doing that is to me clear, but my understanding is that the practical incentives for them to do that aren't clear at all.
When I say "burn", I mean that something has happened to increase the likelihood that an exploit chain is detectable. That could be them being done with it, it could be independent discovery, it could be changes in runtime protections. It's not "we use it a couple times and then deliberately burn it", though.
We should stop talking about "NSA", because this is basically a universal LE/IC practice (throughout Europe as well).
