That just seems too super convenient to me. Why would they not laser focused on Android bugs?

I suspect they are, but backchannel them to the development team, versus airing them.

They're some of the top security researchers in the world and are given autonomy is why. Which is what the security community has settled on being the right incentive structure when optimizing for end user security.

In the case of these recent iOS bugs, they didn't "air them" until after the fix was released. So any "back channel", if you could call it that, seems to exist for Apple too.

>ZDI's Wednesday post said researchers notified Google of the vulnerability in mid-March and that by the end of June, the company had confirmed that the flaw would be fixed. When ZDI asked Google for an update last month, Google responded there would be no further updates. Google released the Android Security Bulletin for September on Tuesday, and the flaw still wasn't fixed. Google didn't respond to a request for comment.

If that's true, that's interesting. Because there have been cases where vendors have asked Google for more time to vet a fix that was going to lapse the responsible disclosure's window and Google (or perhaps more specifically, Project Zero) wouldn't allow it. Mid-March to end of June is a bit over 90 days at my estimation (depending on specific dates, obviously) and yet by September nothing and no updates.

The ZDI disclosure is rather vague, but I suspect this is a vendor-specific vulnerability and the speculation otherwise in the Ars Technica article is just wrong. There is no single "v4l2 driver" used by across all of Android - every device has its own v4l2 driver with its own implementation of the userland-facing v4l2 APIs, and vendors being what they are some of them are of pretty poor quality.