This is not what happened at all. What happened is that after the initial discovery, the gzero team realized it was much worse than expected AND the cloudflare team who he synced with for the disclosure started ghosting him, and yet gzero still kept to the full timeline.
If you working there and having done research can get it this wrong while it's super easy to find the event log in the open, it doesn't give a very good vibe about the attitude inside cloudflare regarding what happened and fair disclosure.
Full even log on project zero is here : https://bugs.chromium.org/p/project-zero/issues/detail?id=11...
> The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.
Meanwhile link with Cloudflare went from this
> I had a call with Cloudflare, they reassured me they're planning on complete transparency and believe they can have a customer notification ready this week.
> I'm satisfied cloudflare are committed to doing the right thing, they've explained their current plan for disclosure and their rationale.
To this
> Update from Cloudflare, they're confident they can get their notification ready by EOD Tuesday (Today) or early Wednesday.
> Cloudflare told me that they couldn't make Tuesday due to more data they found that needs to be purged.
> They then told me Wednesday, but in a later reply started saying Thursday.
> I asked for a draft of their announcement, but they seemed evasive about it and clearly didn't want to do that. I'm really hoping they're not planning to downplay this. If the date keeps extending, they'll reach our "7-day" policy for actively exploited attacks. https://security.googleblog.com/2013/05/disclosure-timeline-...
> If an acceptable notification is not released on Thursday, we'll decide how we want to proceed.
> I had a call with cloudflare, and explained that I was baffled why they were not sharing their notification with me.
> They gave several excuses that didn't make sense, then asked to speak to me on the phone to explain. They assured me it was on the way and they just needed my PGP key. I provided it to them, then heard no further response.
> Cloudflare did finally send me a draft. It contains an excellent postmortem, but severely downplays the risk to customers. They've left it too late to negotiate on the content of the notification.
So it was not project zero but cloudflare that moved the disclosure timeline around, and did so without keeping pzero in the loop, about an active in the wild exploit.
