The fact it's open source enabled someone outside the project to find it in practice. While also possible with closed source software, if you think the bar is possibly too high with an open source project, it is an order of magnitude higher with closed source.
Also, please don't say "Google". A bunch of hackers (on Google's payroll) found it, not Google. We can't tell what would've happened in a counterfactual universe where Google was not financing Project Zero.
I’m shocked at how cynical your perspective is that you don’t grant credit here.
Like if I said “the police didn’t save me from the hostage situation. Some hero saved me who happened to be working for the police. In an alternate universe we don’t where this guy isn’t employed by the police, we don’t know if he wouldn’t have saved me anyway”
I just prefer congratulating the actual people that did this instead of the relatively arbitrary money supplier. You could say I'm equally shocked that credit is propagated as "Google" instead of the names of the researchers.
The reason I said Google because I think that if the NSA pulled some strings at Google, this exploit would not have been published. As such this was all in the hands of Google.
Also, please don't say "Google". A bunch of hackers (on Google's payroll) found it, not Google. We can't tell what would've happened in a counterfactual universe where Google was not financing Project Zero.