Per the write-up, they only went public with details of this exploit after F-Droid merged the "fix" that didn't actually fix the problem despite having been warned that it will not, and despite being told what they actually need to do to fix it properly.