Yes, the NSA did know about Heartbleed before it was released publicly, and surely exploited it.
Now when the NSA says they didn't know about that bug before it became public, that's total bullshit. You know what ? I just got a mail from CloudFlare, quote:
"You're protected from the Heartbleed vulnerability because you have CloudFlare turned on for your website. We fixed the flaw on March 31 for all CloudFlare customers, a week before it was publicly announced. [..]
NO IMPACT ON CLOUDFLARE SERVICE. Our team has conducted a comprehensive security review to ensure our customers were not impacted. One concern is that an attacker had access to the exploit before March 31 since the flaw was present since December 2011. We've seen no evidence of this, but we're proceeding as if it is a possibility. [..]
CloudFlare was one of the companies originally contacted by the researchers who discovered the bug and has been working closely to ensure that sites are protected. This is a serious issue for the Internet as a whole and, as we learn more details, we'll continue to update you on actions you can take to protect your online presence."
NOW IF CLOUDFLARE WAS ALERTED IN PRIORITY BY THE SECURITY RESEARCHERS, THEN PRETTY SURELY THE NSA DID TOO ("National Security Agency"), MAY IT BE DIRECTLY, OR BY SPYING THE COMMUNICATIONS BETWEEN INTERNET ACTORS. THEREFOR WHEN THE NSA SAYS THEY DIDN'T KNOW ABOUT THE BUG BEFORE APRIL 07, →→ IT'S A BLATANT LIE ←←.
We should take this as a warning: way more human and financial resources of the NSA are used to EXPLOIT open-source security bugs than COUNTER and FIX them. Now if you are an open-source project leader, you would think twice before committing code proposed by these bastards. And this also hints us that elementary software should get exhaustive and permanent security checks, checks that can't be performed by part-time "hobby" devs. In that, I can only approve Falkvinge about universal basic income, allowing devs to live decently while working full time on their open-source code.