These vulnerabilities are "zero-day" bugs that even the software vendors themselves don't know about, and shady security firms sell them to the high bidder rather than reporting them to companies. In some cases, the highest bidder is apparently the U.S. government, which uses its stash of malware to spy on foreign governments.
Some zero-days can sell for as much as six figures, according to the Post.
The NSA's investment in software vulnerabilities was revealed by an intelligence community "black budget" that leaked earlier this week. According to that document, the NSA accounts for more than 20 percent of the $52.6 billion the U.S. government has spent on intelligence this year.
Of the $10.8 billion the NSA spent in 2013, $1.6 billion went to "data processing and exploitation," the category that presumably covers the purchase of zero-day vulnerabilities.