Pretty sure the government is supposed to disclose security holes if they find them (not that the NSA does that).
Which part of the government?
You do know it's not a generic thing. Just throwing around whatever and saying in general what the government is supposed to do is kinda lame.
For instance, the DoD isn't Law Enforcement and therefor they don't have a whole lot of responsibilities when it comes to enforcing the law, other then their own UCMJ for their own people.
In the same manner only specific parts of the government has any responsibility to report security flaws in software or systems. For instance as a contractor working on a DoD contract, if I find a software vulnerability all I have to do is report it to security, done. They will run that up the line to somewhere like DoD ACERT or something like that, and they will turn around and look into it, assess the risk to DoD systems, notify users and change STIG guidance so that DoD systems get tightened up. They will probably report it to the vendor who developed the software as well.
I haven't worked for other branches of the government and frankly I doubt most of them are even close to as good on security as the DoD is, but I am sure they have something remotely similar in place. The FDA, Dept of Trans, whichever one you pick. But the end reality is that they probably do not have a responsibility to report anything to the vendor unless they think they will need the vendors help. If a vulnerability is in something the government isn't really using, who cares, it's not their problem. It doesn't mean they won't report it, but it doesn't mean that they have to report it either.
Now I might be wrong but I have never seen anything that suggests otherwise, maybe someone else has though.