President Barack Obama has explicitly decided that when any federal agency discovers a vulnerability in online security, the agency should come forward rather than exploit it for intelligence purposes, according to The New York Times, citing unnamed “senior administration officials.”

However, while there is now a stated “bias” towards disclosure, Obama also created a massive exception to this policy if "there is a clear national security or law enforcement need."

The report comes just one day after the Office of the Director of National Intelligence (ODNI) responded to a Bloomberg News report. ODNI denied that story, explicitly stating that the “NSA or any other part of the government” had no prior knowledge of the notorious Heartbleed vulnerability that has wreaked havoc across the Internet.

Obama's new decision was made in January, the Times added, when the president began a three-month review of recommendations (PDF) put forward by his Review Group on Intelligence and Communications Technologies.

The ODNI statement released Friday concludes with this paragraph on the feds' vulnerability sharing:

In response to the recommendations of the President’s Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.

That coincides with the Review Group’s 308-page report (PDF), including this recommendation:

We recommend that the National Security Council staff should manage an interagency process to review on a regular basis the activities of the US Government regarding attacks that exploit a previously unknown vulnerability in a computer application or system. These are often called “Zero Day” attacks because developers have had zero days to address and patch the vulnerability. US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks. In rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments.

Despite the ODNI statement and Obama's recommendation being framed as a new initiative, previous reports based on the Snowden documents indicate the NSA has been in the business of acquiring not-yet-patched flaws. In August 2013, The Washington Post wrote that: “The NSA designs most of its own implants, but it devoted $25.1 million this year to ‘additional covert purchases of software vulnerabilities’ from private malware vendors, a growing gray-market industry based largely in Europe.”