It's not true anymore due to the new generation of hackers that came up, and it's unpolite to dox them if they don't want to be known for it, but for a period, about a third of Google Chrome/Project Zero security all came from ex Western govts (or contractors) - you can find vague mentions on dailydave mailing list about this.