You can’t know (in the mathematical certainty sense) that they always disclose. But you can know if some entity has the policy of always disclosing. Those are two different things. A policy is about the intentions and the structure of the organisation. How they think about themselves, how they train their recruits and how they structure their operations.
The first hint would be the agency stating that they have a policy of always disclosing. You would of course not believe that because you are a spy with trust issues. But then you would check and hear from all kind of projects and companies that they are receiving a steady stream of vulnerability reports from the agency. You could detect this by compromising the communications or individuals in the projects receiving the reports, or through simple industrial rumours. That would be the second hint.
Then you would compromise people in the agency for further verification. (Because you are a spy agency. It is your job to have plants everywhere.) You would ask these people “so what do you do when you find a vulnerability?” And if the answer is “oh, we write a report to command and we sometimes never hear about it again” then you know that the stated policy is a lie. If they tell you “we are expected to email the vulnerable vendor as soon as possible, and then work with them to help them fix it, and we are often asked to verify that the fix is good” then you will start to think that the policy is actually genuine.
