They should be banned from buying exploits
If they buy a 0 day, and don't share details with the vendor, they are knowingly aiding and abetting criminals and potentially terrorists, who will be buying (and eventually using) those same exploits from the same source the spooks did.
The only 0 days they should be permitted to keep in their arsenal and not inform the vendor about are those they discover themselves. Not that I like that much either, but they're going to do it whether I like it or not, so this way at least minimizes the harm they do. This way they won't aid and abet criminals, or provide them with taxpayer funds.
Biting the hand that feeds IT
