This is concerning to me. They're building a database of android zero days, and sitting on it for months. Presumably, state-based actors have access to it. At the very least, this creates a centralized, high-value target for bad actors.

On top of that, the article says that some of the vulnerabilities are being disclosed to OEMs early.