GrapheneOS as a whole have reported several issues upstream to AOSP in the past, some appear on Android's Security Acknowledgements web page too but not always. Oldest is in 2015 but there is none credited to the GrapheneOS name rather the independent developers themselves. There are likely more to come since these recent upstream vulnerability reports.

This only counts unique discoveries, there have been times where the team discovers a vulnerability to find out it is a duplicate already being investigated internally. The major lock screen bypass vulnerability from 2022 was discovered by GrapheneOS independently that June when working on developing a duress PIN feature and had an initial patch developed for it by then. However when it was submitted to Google, it was a duplicate. It got fixed by the upstream in November.

Sometimes AOSP will add a security feature the OS had prior, when this happens we remove it from the features page off the site.

This only counts AOSP, there have been contributions to the Linux kernel, LLVM and others. It also isn't just security issues but it can also be general bugs. There is a wide range.