Imagine you're a government customer of Microsoft(s msft)'s, in some country that isn't the U.S. You're already anxious over the PRISM scandal and its implications for data processed in the firm's cloud. Now this: according to a Bloomberg report on Friday, when Microsoft finds a vulnerability in its software it informs U.S. intelligence agencies before its own customers.

So, in theory, those spies could exploit that vulnerability to hack into your data, before Microsoft gives you a chance to patch the flaw. And it's not just Microsoft. According to the report, "thousands of [U.S.] technology, finance and manufacturing firms" are closely aligned with American national security agencies, passing them information such as vulnerability details and hardware and software specifications, and giving them access to overseas facilities and data.

In return, Bloomberg claims, the agencies give the companies information about foreign attacks on their systems. Google(s goog) is cited as an example of this, with Sergey Brin allegedly having been invited to sit in on a secret intelligence briefing after an attack by Chinese hackers in 2010.

The report also notes claims recently made by NSA leaker Edward Snowden that the U.S. hacks network backbones in China and Hong King. Although the evidence for this "Blarney" program appears scantier than that for PRISM, the gist is that the scheme captures metadata from internet-connected devices such as computers and smartphones around the world, including OS version, Java software version and browser. Again, this would make it easier for the agencies to target and hack such devices.

On the domestic front, the piece also claims a security system called Einstein 3, which is meant to protect U.S. government systems, can "expose the private content of the emails under certain circumstances."

But it's the claims about U.S. tech vendors and their apparently voluntary information exchange with the country's spy agencies that will most bother governments and their public sector organizations around the world.

Microsoft spokesman Frank Shaw seemingly confirmed this cooperation in the Bloomberg article, saying the early release of vulnerability information helps to give the U.S. government an "early start" in protecting its systems. Other "trusted partners" reportedly include Intel(s intc)'s security business McAfee security, which apparently acts as a consultant of sorts to spy agencies wanting to know more about network architectures around the world.

There's no suggestion that any of this data-sharing is illegal – but for many governmental customers around the world it will suggest that their vendors have undisclosed interests that don't align with their own. For some in the U.S. tech industry, these revelations may turn out to be as damaging as PRISM, if not more so.