[halbecaf]

Project Zero has reported plenty of bugs in Google software: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q...

[username223]

That's encouraging -- I had cynically assumed it was just a naive PR play -- but have they screwed over other Google projects by publishing 0-days at the end of their arbitrary time window? For example, do they publish zero-days on widely-deployed versions of Android?

[dgacmu]

I believe they follow the same reporting process regardless of vendor, Google included. Here's one that Google fixed in Chrome about 15 days before the 90 day public release threshold: https://bugs.chromium.org/p/project-zero/issues/detail?id=16...

(You'll note the explicit discussion in there about the deadline:

"Chromium issues should be treated the same as any others. So there's a 90-day deadline (which was not exceeded in this case), ...

Same disclosure warning to the Chrome team was in this bug: https://bugs.chromium.org/p/project-zero/issues/detail?id=51...

And project zero explicitly warned the Android team about the 90 day disclosure policy in the one bug report I checked:

https://code.google.com/p/android/issues/detail?id=182510

Edited to add:

Here's one where they disclosed prior to Android fixing the bug: https://bugs.chromium.org/p/project-zero/issues/detail?id=86...

with the note "deadline exceeded". Unfortunately, the link to the Android bug is still protected, so we can't learn why AOSP hasn't fixed it yet.