I’m sure you’ve seen the news about this, so it seems a little redundant to restate just how catastrophic this flaw is.
That said, I’ve seen a fair amount of speculation that this bug was either used or even introduced by the NSA. Apparently, honeypots have seen activity related to this bug, so it was at least a little bit known prior to its disclosure earlier this week; therefore, it wouldn’t surprise me if it were one of the (likely many) vulnerabilities used by intelligence agencies. However, it appears to be an honest bug that has been present in OpenSSL’s heartbeat implementation since day one. That raises questions of its own regarding the safety and reliability of the open source critical security tools that form the backbone of the web, but it does not indicate malicious intent.
See also OpenSSL’s commit to fix the bug.