This is actually very cool: a dataset of 3900 CVEs, with a matching fixing commit for 1359 of them.<p>So, lots of opportunity to find a big payout w/r/t the unfixed CVEs. Whether successful or not, those attempts will definitely strengthen the ecosystem.<p>And possibly even shame Google into providing cross-vendor Android security fixes... (note to the uninitiated: this is heavy sarcasm, will never happen, etc. etc.)