Maybe the zero-day isn't disclosed from this pwn2own itself, but importantly, we now know it exists, which means we should consider how many bad actors are already independently aware of it and are exploiting it.
Responsibe disclosure processes are just as much about closing the vectors that we can't prove are under active exploit.
the Pwn2Own exploits have generally not already been out there. There have been a long history of these, including some incredible chrome exploits! So the disclosure process tends to work out OK.
I think that's right that pwn2own exploits are generally new to the public, but that only means it's not provably out there.
Just to be clear, I think programs like this are great and they do improve safety, but only because they result in patches. This news shouldn't make users feel safe until there is a patch.
Agreed, just because it exists doesn’t mean it was being exploited.
And these help patch not just the specific hole but the general approach of the exploit chain may expose a whole area the development team had not previously considered.
Responsibe disclosure processes are just as much about closing the vectors that we can't prove are under active exploit.