I'm not being dismissive. I understand the imperetive of identifying and fixing vulnerabilities. I also understand the detrimental impact that these problems can potentially have on Google.
What I don't understand is the choice to have a public facing project about this. Can anyone shine a light on this?
There are many groups and companies that do security research on common software and then sell the resulting vulnerabilities to people who don’t have your best interests in mind. Having a major company get ahead of this and share the results is a win for all of us.
A lot of people in this comment section don’t understand the broader security ecosystem. There are many vendors who will even provide patched versions of software to work around security issues that aren’t yet solved upstream. Some times these patches disable features or break functionality, or simply aren’t at a level where upstream is interested yet. But patching known issues is valuable.
Getting patches accepted upstream in big open source projects isn’t always easy. They tend to want things done a certain way or have a high bar to clear for anyone submitting work.