Monorail is a fork of Google Code, which was Google's public source control offering for a while.

Repos from Google Code were mostly transitioned onto more popular platforms (like GitHub). Chromium wanted to keep using the issue tracker, so they took it over to create Monorail:

https://chromium.googlesource.com/infra/infra/+/refs/heads/m...

Chrome is the biggest one, but many of Google's public-facing issue trackers are on Monorail (which is hosted at bugs.chromium.org).

It just happens to be where vulnerabilities are disclosed under the Android Partner Vulnerability Initiative: https://security.googleblog.com/2020/10/announcing-launch-of...

For various historical reasons a lot of the device-related security work is housed on Chrome infrastructure.

>Why this is Chromium issue tracker?

Others have already answered the historical reason, but a more direct and technical answer: this is not, since that would be: https://bugs.chromium.org/p/chromium/issues/list

This is issue tracker for "apvi" (whatever it means), just happened to be hosted on "bugs.chromium.org" domain like batch of others.

APVI is Android Partner Vulnerabilities Initiative. It's a working group (?) that deals with security issues of third party vendors

Here's the real reason: nobody in a position to make it more consistent ever notices the inconsistency, because internally the use of short URL redirectors is ubiquitous. I can't be sure because I don't work there any more but I would be surprised if the canonical location of this issue for Googlers is something other than go/avpibug/100 or something similar to that.