The trick is to put yourself in the context of a potential leaker. Is this person technical? Would they have the skill to distinguish between heartbleed and another equally powerful exploit? What "at least two years" means to me is not that they knew specifically about heartbleed shortly after it was introduced, but that there may be another equally damaging bug the NSA exploits that a non-programmer could easily confuse. After all, I'm sure they don't have this exploit labelled "heartbleed" in their database.
Furthermore, if a piece of software is responsible for protecting a huge percentage of the internet and is known to be a mess, you can be absolutely certain that there is not just one or two researchers, but possibly several teams responsible for probing that code base each and every day looking for exploits.
I would be surprised if every single commit to OpenSSL doesn't get dozens to hundreds of man-hours of attention from people very good at breaking secure systems.
With that in mind, you can also be sure that the NSA isn't the only government agency that is putting tons of money into exploiting OpenSSL and other critical software. I'd be surprised if it took them more than 1-3 months to find this exploit after it was introduced. If they found it in that time, you would expect that other government agencies found it nearly as quickly and have been exploiting it as well.
When you have million and billion dollar budgets used to find and exploit bugs in software, you can be certain that the average person is losing out big time.
