A reasonable policy upon discovering this type of bug is to allow the agency a fix period of time to exploit the bug and then require that they provide support in fixing the bugs for as many major US companies and institutions as possible as quickly as possible.
If they are given carte blanche to use the exploit indefinitely, they will keep it forever and let the world discover and exploit it as well. If they have a finite time period like 1-3 months, they will prioritize exploiting those systems that are actually valuable for national security. While they are doing so, they should keep an auditable log of all the systems they use the exploit against so that oversight may be performed in hindsight. Furthermore, they should absolutely be barred from using any exploit against a target with a US-based IP, or possibly even any IP address in allied nations.
It is far less likely that the agency will have the opportunity to abuse exploits if they are forced to prioritize targets due to a fixed deadline on disclosure.
During the deadline period, they should also be working on a plan that minimizes the amount of damages once disclosure is forced. i.e. there should be a list of people and companies that get the information first and everyone on the list should be people in charge of protecting computer systems (i.e. no one involved in offensive activities is on the list). Companies like Google, Facebook, Akamai, Apple and the package maintainers for all the major *nix distros should be on that shortlist of those that get priority notification.
If they are given carte blanche to use the exploit indefinitely, they will keep it forever and let the world discover and exploit it as well. If they have a finite time period like 1-3 months, they will prioritize exploiting those systems that are actually valuable for national security. While they are doing so, they should keep an auditable log of all the systems they use the exploit against so that oversight may be performed in hindsight. Furthermore, they should absolutely be barred from using any exploit against a target with a US-based IP, or possibly even any IP address in allied nations.
It is far less likely that the agency will have the opportunity to abuse exploits if they are forced to prioritize targets due to a fixed deadline on disclosure.
During the deadline period, they should also be working on a plan that minimizes the amount of damages once disclosure is forced. i.e. there should be a list of people and companies that get the information first and everyone on the list should be people in charge of protecting computer systems (i.e. no one involved in offensive activities is on the list). Companies like Google, Facebook, Akamai, Apple and the package maintainers for all the major *nix distros should be on that shortlist of those that get priority notification.