As I understand it, Chrome and Firefox are both operating under the same policies with about the same timetables. Full distrust doesn't come until Firefox 63 / Chrome 70 - neither of which are stable releases yet.
The limited distrust (for older certs issued prior to June 2016) was activated in Firefox 60 and Chrome 66 much earlier this year.
Google blacklisted ALL Symantec certificates since Chrome 66, in April. The roadmap announced the change for October but they did it 6 months earlier, ignoring their own roadmap.
As the OP says, organizations using Symantec have already been hit very hard, by surprise.
Do you have a source for that? Google's KB articles still reference Chrome 70 [1], and I can't find another reference to this anywhere else.
Paypal.com is still operating with a Symantec signed cert - issued by "Symantec Class 3 EV SSL CA - G3". Works fine in Chrome 68. (and not in Firefox with the security.pki.distrust_ca_policy override set)
Similar environment except for the blacklisting didn’t happen to us. Any chance some wires were crossed and someone pushed out a policy explicitly distrusting the CA?
This isn't true. Chrome itself proves this when loading a site affected by wave 2 of the distrust:
"The SSL certificate used to load resources from https://(domain) will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information."
Everything was being done in 2 waves. First wave was Chrome 66, second wave is Chrome 70. See Google's link above for the specifics.
Source: Chrome's own warnings and that I work for a business that deals heavily in SSL sales.
The limited distrust (for older certs issued prior to June 2016) was activated in Firefox 60 and Chrome 66 much earlier this year.