At which point (I imagine), decisions would be made along the same lines as I described, the key questions being "can we keep it secret?" and "who has this capability?".

I tried to be nation-agnostic, as I imagine there may be a bit of difference in how a given nations' intelligence agency weighs the value of their offensive capabilities and the public defensive capabilities in light of who knows about the bug.