I was really surprised when this hit, and I discovered the protocol was essentially undocumented / unspecified. I was trying to find indicators of compromise and that was made more difficult by the lack of documentation.

It was really helpful that they had coordinated with WAF providers like cloud flare ahead of disclosure to put rules in place though.