The title is a little mis-leading.
A 3-man team worked 2 weeks to reverse engineer Webkit, then discovered an exploit in the way Webkit processes data. Once they had this, they were able to write code to take advantage of this exploit.
So, when the Pwn2own contest started .... hey, first team to crack the Mac - wins the Mac and $15K.
All they had to do was pull the trigger.
So that makes it illegitimate?
The exploit was there and they got in.
But with any Apple issue, it’s everyone fault but Apple’s.