Source: https://law.stackexchange.com/questions/20035/is-the-nsa-liable-for-not-reporting-a-security-vulnerability/20038