Two days ago I reported an issue to Google Chrome, keeping the official format and discretion. It's about Autofill passwords found in unencrypted RAM made easily accessible also via Javascript for an arbitrary extension, as you for sure know. I used a Disassembler/Debugger/Memory Dumping tool to also verify that the passwords appear in memory unencrypted, and there is no runtime encryption in place whatsoever.

I walked through file trees of Chrome and found Chrome's SQLite database containing URLs and E-Mail addresses, that are also listed on chrome://settings/passwords - Obviously, here you need a system password for a fully visible password here in this internal Chrome location; yet - when you manage to navigate the browser to the target URL, you don't need that anymore, since Javascript will do the trick. That can be abused by a CRX extension or my maliciously running native code having access to process memory, even though that requires full system privileges which Project Zero should know a thing or two about. 

I would at least except Google and the Chromium team to keep courtesy and inform me before tracelessly removing a seriously meant bug report to the project.

Btw, the password shown in the screenshot is not a real password.