[randallu]

Is there a better write up of the exploit? How did they escape the renderer sandbox?

(I ask, because I theorize that it's really easy to escape the Chrome renderer sandbox because the renderer is attached to Binder and thus has access to the whole system_server interface and everything else registered through the magic android.os.ServiceManager).

[droopybuns]

Pwn2Own has a whole ceremony where they very "securely" take the exploit directly to the vendor so that the vendor can address the issue.

ZDI is built around Intrusion Detection/Prevention, so they are effectively buying the newest and greatest exploits, ostensibly for the purpose of writing new IDS/IPS detection rules.

The consequence is that you probably won't get a better write up of the exploit for some time. To be eligible for the award, you agree to withhold publicly disclosing the details of your exploit for some time.

The secrecy around handling the exploits may be a contributing factor to Dragos' weirdness on the #badbios thing. The Pwn2Own contest would be the reason he's got a legitimate possibility of being targeted by something as strange as he's been describing.