1. Google uses Mac OS and Windows internally, they're a big enough company that even untargeted malware that hits a small percentage of systems costs them money (not to mention targeted malware), and they're also a big enough company that the amortized cost of Project Zero, across all employees, is affordable.
2. The top-notch researchers who find vulnerabilities in their server stack (Linux, etc.) also like looking at different OSes occasionally, and this is a way of recruiting and keeping them at Google, which leads to them disclosing and fixing Linux security issues internally while waiting on an external response.
3. They're unhappy with their software vendors not taking security and vulnerability response seriously, and they're trying to shift the popular consensus / Overton window on how seriously people should care and what the industry-standard response to reports should be.
"Don't be evil" means that sometimes you should do things for the good of the community without expectation of direct rewards. Maybe I'm idealistic and naive but I think that Google tries to live up to that.
Maybe it's their way of fighting the Man. They're compelled, almost by force, to cooperate with the US and other governments in spying on their users. This seems like a way to offset that ethical load by taking away some of the tools those bad actors use as weapons. I know I'd do it if I were in their shoes.
Google's ads are so pervasive that they make money for just about every minute you use the internet. If your computer is infested with viruses you might turn it off and go outside, therefore it's in Google's best interests to invest in general computer security.
A common monetization method used by malware distributors is to secretly replace legitimate ads that get loaded on the machine (such as Google's) with their own.
Doing this on every single web page visited by that machine for the rest of its existence, and multiplying that by hundreds of thousands of other infected machines out there, and multiplying THAT by the dozens of different black hat groups doing this simultaneously, it adds up to a lot of lost money for Google.
I understand the ad thing but that idea applies to all software companies (because they want their own browsers and operating systems used by users), not just Google.
To me it feels like they're throwing their competitors under the bus in this way as opposed to running slander campaigns or witty commercials like Samsung, Microsoft, and Apple do. I'm not saying this is their intention but that is the way it comes off and it cannot be good for their reputation.
A non-profit organization funded by the entire tech industry would have more credibility.
It's not like they sit around and say: "Oh, f*ck Android, let's find vulnerabilities in other operating systems." I suppose it's long since they have a team working on Android vulnerabilities, but it's not trivial fixing, deploying - not to mention finding the flaws.
When it comes to others they have total disregard as to how difficult to deploy any fix is. The same standard should apply to themselves, but clearly doesn't.
For a start, they could try to fix vulnerabilities in Jelly Bean's webview[1] and urge manufacturers and carriers to push updates to their phones, since 46% of the market is apparently still Jelly Bean[2]
Of course, it's an uphill battle with the manufacturers/carriers. But as long as Google is not applying fixes to Jelly Bean, the manufacturers can always blame Google.
Google Engineers mostly use their beefy workstations with a Google-flavored Ubuntu installed to code. Most engineers have Mac laptops though (at least my team), even though their use is quite limited (you cannot store code there, so mostly you have to ssh or remote desktop to your workstation)
That is generally true, but not completely so. A number of android engineers develop directly on Mac, and all iOS app developers do so because there isn't an alternative. And there are some weird engineers like me who mount their linux disks on their macs via nfs and only use their linux boxes to do command line work (builds, running servers, etc.).
Project Zero appears to be generating mostly negative PR for Google (and MS and Apple). From a wider public perception standpoint, it's almost lose-lose all around.
Well, that's one perspective. There are a lot of people who believe that disclosure like what Google is practicing will ultimately increase the rate at which bugs are fixed and decrease the frequency of computers being compromised.
I understand the benefit of this program to the public, but what real benefit does funding Project Zero Day provide Google?