From Google’s online security blog:
Security is a top priority for Google. [...] We’re hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet.
[...]
Every bug we discover will be filed in an external database. We will only report bugs to the software’s vendor—and no third parties. Once the bug report becomes public (typically once a patch is available), you’ll be able to monitor vendor time-to-fix performance, see any discussion about exploitability, and view historical exploits and crash traces. We also commit to sending bug reports to vendors in as close to real-time as possible, and to working with them to get fixes to users in a reasonable time.
This is good news. However, what will be Project Zero’s policy in case a vendor decides to simply ignore bug reports, and refuses to patch their software? Will the vulnerability be published after a certain amount of time has lapsed?
Anyway, as the database of (presumably fixed) bugs grows, it will undoubtedly offer opportunities for security researchers to better understand and improve methods and processes for dealing with vulnerabilities.