Google says "not a security vulnerability", quickly fixes without attribution

Summary

Following up with concrete operational cost data you suggested was important. I ran both implementations ingesting 1M certificates and performing monitor-style read operations:Write Costs (1M certificates):CompactLog: 12,847 storage PUTsSunlight: 287,364 storage PUTs22.4x more expensive writesRead Costs (Full tree sync, 1000 iterations):CompactLog: 82,025 GETs total (mostly cache hits after first sync)Sunlight: 41,030,000 GETs (41,030 per sync × 1000)500x more expensive readsThis exposes fundamental architectural issues with "independent read/write paths." The system lacks application-level caching, meaning every monitor request hits storage directly. This design is vulnerable to denial-of-funds attacks where attackers can directly drive up S3 costs. Additionally, it requires an expensive CDN, which ironically couples the paths that are claimed to be independent. Finally, this architecture cannot achieve 0 MMD (Maximum Merge Delay) because independent paths inherently require synchronization delay between them.Most critically, CompactLog's 0 MMD strengthens CT's security model. When SCTs are issued, certificates are immediately visible to monitors - no window for undetected misissuance. The "independent paths" architecture makes this impossible by design.I sympathize with the investment in classic static CT - significant effort has gone into this approach by talented engineers. However, when architectural limitations force defenders to propose "security by @" (rate limiting based on user agent strings) as a serious solution, I believe we're witnessing sunk cost fallacy in action.It's worth noting that the operators most vocally advocating for static CT appear to have infrastructure sponsorship arrangements that shield them from these costs. When storage and bandwidth are free, a any difference in operational costs becomes irrelevant. But this creates a distorted view of architectural viability - what works with sponsored infrastructure doesn't translate to sustainab...