I don't think that link is necessarily better just because it's the original source. The linked article gives a concise overview, while the blog post spends the first paragraph talking about moving and starting a new job.
In general, I would wager that HN prefers intellectual curiosity over overviews. Submission guidelines infer that by stating "Please submit the original source. If a post reports on something found on another site, submit the latter."
Sure, though I'd argue in the case of vulnerabilities an overview is particularly valuable. Not everyone wants to dive into the details; in my case what I'm most interested in is whether I (or anyone else at my day job) might be affected.
I would agree. I would also say that when the secondary article contains a lot of value added above, the original, such as is the case here, the secondary source is better because it is easy to follow its link to the original if that's what you'd like to see.
I definitely agree with the guideline around favoring original sources, but this seems like a good time to deviate.
Their exploit development process is interesting, and I like to think I'd have done something similar (that is, compiling an easier-to-exploit version of the application and gradually working up to the real thing)