As I was reading it I didn't realize I was reading a security report, so I was like, is it responsible for them to be sharing this?

Then I saw the disclosure at the end and didn't get the sense that the flaw was fixed, so then I was still thinking... Is it responsible for them to be sharing this?

I'm glad that they did, because I can audit my own projects, but a bad actor may also be glad that they did.

The fact that we're hearing this first from a third-party and not from Google themselves is extremely problematic.