Our policy for upstream Android vulnerabilities we discover has become fixing them downstream ASAP with a clear explanation in our release notes for the release including them. Filing a report upstream hasn't been part of our process for a while due to their related decisions.

https://grapheneos.social/@GrapheneOS/111147732221508664