Heartbleed is NOT the kind of backdoor or compromise someone like the NSA would try to inject into an Open Source project like OpenSSL. The possibility of other spy agencies discovering it would be far too great, leading to not only the NSA being able to monitor things, but agencies the NSA doesn't like also being able to monitor stuff.
An NSA-style attack would be one of two things:
(1) discover a vulnerability that existed in the current codebase - whether due to a code flaw or some new advanced crypto technique developed in-house at the NSA - and NOT report that, under the presumption that they are far better positioned to discover that kind of vulnerability than anybody else, and thus would have exclusive access, or
(2) Inject a piece of code into the project that looks otherwise completely harmless, but, given certain NSA crypto advancements, turns out to be a severe weakening of the crypto, but doesn't change things for people who don't know the secret NSA technique.
Heartbleed was neither - it was a coding mistake that, once someone finally got around to analyzing the particular putback, is an obvious error. The issue is lack of sufficient code review.
There's suspicion (but ONLY suspicion, no real factual basis) that the NSA might have known about this particular weakness awhile ago. But that's entirely different than the NSA deliberately breaking OpenSSL with a code exploit. And there's serious debate about how much responsibility the NSA should have to notify the general public about when they find security leaks. It's not cut-and-dried.