They're US based now, but there's no guarantee it'll stay that way, if a buyer were to come along with enough money. I guess if your theory is correct then pressure would be applied to make sure any foreign buyout didn't happen.

In any case it's extremely unlikely to happen any time soon, but who knows what could happen 50 years down the line, especially if they were to lose market share or the internet fades from relevance.

I'm not accusing cloudflare of anything malicious, I want to be clear. But this polyfill wasn't originally malicious either, it was just eventually bought by a malicious actor.

My original comment was just commentary on the symmetry of the exploit and the mitigation, they're essentially the same vector.