[Ajedi32]

If they were black-hat researchers, they wouldn't have reported the vulnerabilities to Google, and thus the researcher's reports wouldn't be considered duplicates.

My guess is they're either working for the bug bounties, or they're employed by a company that uses Android extensively and wants to make sure its secure.

[ac29]

Exploring the acknowledgements [0] shows many of these Chinese researchers are working for the big internet firms there (Alibaba, Tencent, Baidu), so my guess is they are more motivated in securing Android for internal use than collecting bounties (its entirely possible they run their own AOSP-based Android builds for employee-provided hardware).

Being China, its also possible that the Chinese government indirectly or directly sponsors this research, since Android is by far the most common smartphone OS there.

edit: C0RE Team [1], who also has many contributions seems to be an independent research company, who may be doing it just for the bounties.

[0] https://source.android.com/security/overview/acknowledgement...

[1] http://c0reteam.org/about.html

[wahern]

An interesting exercise would be to compile notification dates with code commit dates, and then compare the average difference (notification date - commit date) among groups.

If there's a discrepancy, then that's possible evidence one group might be hoarding bugs, or at least waiting for notification approval from, e.g., a domestic intelligence agency.

[Cyphase]

cue commit scrubbers