In a pre and post-Snowden world, I would imagine if a government discovers a bug like Heartbleed and has no evidence of anyone else knowing about it, they will classify it and use it offensively. They will then collect evidence and construct a model of who else knows of the vulnerability and weigh the costs (to their offensive capabilities) and benefits (to everyone's defensive capabilities) of disclosing it publicly.
Once there is reason to believe that the benefits outweigh the costs, they will disclose it in a way that doesn't expose their knowing about it beforehand.
I would imagine if a government discovers a bug like Heartbleed and has no evidence of anyone else knowing about it, they will classify it and use it offensively.
You seem to think "a government" is a unified entity. If the NSA (for example) discovered Heartbleed I'd expect you would be correct.
If someone in the IRS (for example) found it I'd expect they would behave very differently.
I believe standard procedure would be for IRS to report it to US-CERT who are part of the Department of Homeland Security.
At which point (I imagine), decisions would be made along the same lines as I described, the key questions being "can we keep it secret?" and "who has this capability?".
I tried to be nation-agnostic, as I imagine there may be a bit of difference in how a given nations' intelligence agency weighs the value of their offensive capabilities and the public defensive capabilities in light of who knows about the bug.
Basically, governments are rational actors. Not really surprising but many people seem to assume the government will be either irrationally benevolent or irrationally evil.
If 100% all components of government behave rationally, it doesn't neccessarily mean that the government behaves rationally.
A collection of rational actors may, as a whole, behave irrationally - as defined as 'against their own best interest'. Tragedy of the commons is but one example.
Organized systems may easily have structures that create irrational and destructive behavior, and those structures can be stable enough so that for each separate employee attempting to change the system would be risky, disadvantageous and irrational.
I think nl (sibling post) is more accurate: "governments" don't exist as such. You have lots of agencies with conflicting interests, and they're eventually all made of people.
I would say that rather than "the government behaves rationally" - that every individual behaves in their best interest.
High-ranking intelligence officials will push for more power, more capabilities, and will scrap things if they become risky.
If there's somebody sufficiently powerful whose career would be threatened from some risk of exploiting the bug, that risk will be taken seriously.
If there's somebody sufficiently powerful whose career would benefit from the government letting people know about that bug, it'll happen. This sounds unlikely, but this isn't my area of expertise and if somebody wants to correct me please do so.
Congress will largely ignore it because it has nothing to do with their constituency, they're mostly technically illiterate, and because they're being lied to anyways.
Daniel Kahneman says this has been proven false in his book Thinking Fast and Slow.
It think it is wrong on two levels. First individual's "perceived best interest" is often very far off of their real interest. Second, individual, and not only a few edge cases, are often not behaving in their best interest, even if we consider it to be their "perceived best interest".
Kahneman listed the three attributes of humans modelized as "econs" in the most common economic model: They are rational, selfish and their taste do not change over time. All three are obviously wrong.
What might appear to be irrational behavior to you is just due to people making decisions based on different information, differing priorities and a different decision making process informed by different life experience. If someone's decisions appear irrational to you, you just don't possess enough data about the information they have access to, their priorities and the world model in their head.
So basically what you're saying is the word "irrational" has no meaning whatsoever, and that every act is rational, just perhaps not to your point of view or level of information.
In the theoretical sense, I agree with that, but in a world of social interconnections, we need a meaningful framework and vocabulary for judging these sorts of things. While I believe that true objectivity is hard (and maybe impossible), I think there's a lot of social value in coming up with widely accepted definitions of rational vs. irrational, at least on a case-by-case basis.
I think you are mixing up "rational" and "reasonable". It is not rational to flinch away from that puff of air you get at the optometrist, but it is reasonable.
Why is the assumption "governments are rational" more reasonable than "governments are irrational"? Both seem equally possible to me, given the fact that we don't have the information to tell, either way.
In any case, that's a false dichotomy. Governments are not uniform entities, and there's no point talking about them as if they are. Governments, like people, do some rational and some irrational things.
Because it takes quite a lot of work and training for individual humans to act rational. Therefore, without other information, it is a better default assumption that any given human or system-of-humans is non-rational.
Once there is reason to believe that the benefits outweigh the costs, they will disclose it in a way that doesn't expose their knowing about it beforehand.