Buggy software isn’t just annoying—the right compromised code can leave private information vulnerable to clever hackers for as long as the problem is unnoticed. The only thing that could make bugs worse? Government agencies gaining access to the vulnerabilities before everyone else, and using spies to exploit them.

Before Microsoft releases a public patch of to a software bug, it passes along that information to U.S. intelligence agencies, say two sources familiar with the program.

Best case scenario, this information is used to protect critical government online infrastructure first, making sure that vital functions are the most secure. The official line from Microsoft is that this gives government “an early start” in stopping risks. But it also gives government agencies a window to exploit these gaps for intelligence collection purposes.

Microsoft software is both widely used and infamous for its bugs. Just this week, Microsoft released a patch designed to cover an image file exploit that let hackers look at special information. Disclosed in May, there’s an exploit in Microsoft Office that could give an attacker a foot in the door to gaining full access to the attacked computer.

Microsoft is a huge company; that there are constantly new bugs being discovered isn’t that surprising. Sometimes major software is released with “day-zero” bugs, like Internet Explorer 8, or Windows 8, or every version of Windows ever. It’s a problem for all of the online world that uses Windows, and leaves an insecure ecosystem of software.

It’s one thing to struggle with a product full of security vulnerabilities and potential for exploits. Handing that information over to the government first? Forget PRISM, this is real super-villain stuff.