[rando444]

Microsoft was formally notified of the vulnerability in October 2016. Why leave this out of the timeline?

The researcher that found the vulnerability first noticed it in July 2016. Between July and October he had gathered even more information about the vulnerability, presumably in his interest to demonstrate how serious the matter is, as well as a likely attempt to procure as large a bug bounty as possible.

If Microsoft was presented with such a serious vulnerability and didn't address it properly for over half a year, I would say that they are the owners of the lion's share of the responsibility here.