> How did a privately reported zero-day leak from Bugzilla into an attacker's arsenal?
This was a VERY valuable bug. I mean, it's sad to think about but the most likely scenario is that someone with access to the report at Mozilla or Google (or maybe elsewhere if it was shared more widely) called a friend of a friend of a friend and... sold it.
Moreover, people are bad at keeping secrets. Social engineering is clearly a thing, even among infosec circles.
Sometimes all it takes is being in the right bar and having a good ear.
This was a VERY valuable bug. I mean, it's sad to think about but the most likely scenario is that someone with access to the report at Mozilla or Google (or maybe elsewhere if it was shared more widely) called a friend of a friend of a friend and... sold it.