I'm wondering if any State Attorney Generals are tech savvy, don't like the current administration, and want some publicity[1] enough to start an investigation? I would imagine a subpoena asking for the financial records of the OpenSSL contributors would be a first step (to find Gov payments). I can see a very scary witch hunt.
1) that part might be a little rhetorical, every AG likes good publicity.
"Financial records of the OpenSSL contributors"? How extremely silly. Knowing about Heartbleed? Easy to see. Not sharing Heartbleed? Easy to see. Deliberately introducing a vulnerability that every single US adversary could trivially find? Beyond unlikely.
My personal opinion is that I doubt the NSA introduced it, but if it allowed other countries to exploit US citizens and the NSA knew about it, then that is indefensible behavior.
That being said, it would be a pretty standard tactic for an AG to look at who paid the people who did the work. It is a pattern in a lot of different types of investigations and familiar to an AG. Will they find anything? Doubtful. Will that really matter? Doubtful.
I should at this point say that I am thinking of a scenario that would occur to an AG (the pattern happens a lot). I am not advocating such behavior. It would have a huge chilling effect on public source code of any type and probably generate some seriously evil legislation (certifications or liability insurance). These concerns have never been part of most politicians concerns.
I think it's hilarious to see people who are ostensibly zealous advocates of privacy lobbying to get prosecutors to subpoena the financial records of the people who invest their free time in building privacy-protecting software.
I am at the same time comfortable filing this under "things that will never happen".
Presumably, any State Attorney General will have gone to law school, and will thus know that the Federal Government is immune to suits from the states.
They are not actually immune, states sue the federal government (or at least departments) all the time. Look at the ACA cases for an example. They can also go after the individual people involved as long as they are not serving in the government.
The states can go for a variety of reasons when the feel the federal government is overstepping their bounds or has committed a constitutional violation. They can open investigations into federal behavior.
Who said anything about suing the USG, unless you are already assuming someone contributing to OpenSSL was hired by the USG in some relevant capacity. I don't see what would shield contributors to OpenSSL from a criminal investigation.
1) that part might be a little rhetorical, every AG likes good publicity.