Simple process
I don't think this needs a complex review board. Much the same benefit could be created with a simple process:
1) A limit (say 5) on the total number of exploits which can be hoarded at any time.
2) An absolute time limit on the length of time it can be hoarded for. 12 months seems reasonable. After that time, it has to be reported to the manufacturer.
3) A risk assessment and contingency plan, including a patch prepared in advance by the NSA so it can be fixed immediately if it becomes known.
The problem is enforcement (trust, but verify), but codifying it in a law would help. At least it would be clear a crime has been committed if a more-than-12-month-vulnerability appears on WIkileaks.