"We're not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers."
Yes, it's a guest post. What I said is that, while in theory they said they will research all major OSs (including Android, which is by far the most common mobile OS), they have yet to publish a single vulnerability as a result of their research.
Maybe they do publish them but they are all fixed before the 90 windows passes so they don't have to be disclosed their. You still go to git.chromium.org and aosp's git see the daily security/improvement patches that go there.
The disclosure window is typically for fixes released to end-users, not just fixed by vendors. This is also what was enforced with MS last round, where they had a fix ready but couldn't get it to pass QA and being released before the 90-days window expired.
