The vulnerability hunters at Google Project Zero want to address what they call the "upstream patch gap," when a vendor has a fix available but the downstream product providers haven't integrated it yet.