Some other article I saw quoted somewhere said that they only kept logs for a short time for this service. I wonder how they ruled out exploits older than the logs?
I have no idea, but another thing to consider is that they probably have longer-term access to the binaries of all the applications that ever used this API, and they certainly have tools for automated/large-scale inspection of applications.
One obvious example is that you can continue monitoring for evidence of attempts to use the vulnerability. A delayed honeypot, so to speak.
In other words, you don't have evidence that this vulnerability wasn't abused in 2 weeks, you have evidence that no one abused it in ~6 months. Still not perfect, but a more compelling argument that it wasn't abused.
Seems likely they actually didn't. Apparently the further down this comment thread you go, the more times this has already been mentioned. (I read the top comment in the thread having already understood this, and thus interpreted it as a hypothetical question. But in this case, it wasn't provable at all, according to Google themselves' own statement.)
Some other article I saw quoted somewhere said that they only kept logs for a short time for this service. I wonder how they ruled out exploits older than the logs?