Is the NSA Using Zero-Day Exploits before Reporting Them?

According to the NSA, it will report zero-day security vulnerabilities to software vendors “9 out of 10 times.” The other 10% of the time, it won’t say what it does with them, but it does say there are times when the military and national security benefits outweigh the benefit to disclosing vulnerabilities to vendors.