WASHINGTON — In a rare insight into the government’s thinking on the use of cyberweapons, the White House on Monday published a series of questions it asks in deciding when to make public the discovery of major flaws in computer security or whether to keep them secret so that American intelligence agencies can use them to enable surveillance or an attack.

The discussion came not in a presidential policy directive or a speech, like the kind President Obama gave when describing the criteria for conducting drone attacks, but in a blog post on the White House website. The item was posted by Michael Daniel, the White House cybersecurity coordinator, and appeared to be distilled from a far more detailed classified document giving guidance to the National Security Agency, the F.B.I. and others who often exploit flaws in Internet security.

Mr. Daniel repeated the N.S.A.’s declaration several weeks ago that “we had no prior knowledge of the existence of Heartbleed,” a security vulnerability that created widespread fears that passwords or other delicate information transmitted by millions of computer users may have been revealed. But he acknowledged that the Heartbleed incident had cast a light on a balancing test the White House has until now declined to discuss in any detail: When should the government reveal flaws that it discovers, and when should it use them for its still-unacknowledged “stockpile” of flaws that would help it penetrate foreign computer networks?

It is a heated issue inside the N.S.A. and the Pentagon. The United States made use of four so-called zero-day vulnerabilities — flaws that had been known for zero days to the outside world — to attack and disable elements of Iran’s nuclear program in an operation called Olympic Games. The United States and Israel, which mounted that campaign, have never acknowledged their involvement, and most of the time such vulnerabilities are exploited for more routine actions, especially the interception of email or other Internet traffic.