I am not sure smaller devs were given the option of self-scanning code. I always wondered what the point of that was, given that there is no way for Google to ensure that the scanned code was the version distributed, and even then, as soon as a minor update was released it would have been out of date.
Bingo! The whole thing is for butt-covering purposes. It's just so that when something happens, Google can then say "We followed $STANDARDS_BODY Policy #420.69, so we can't be held responsible!" Theoretically even Panic would gain a little butt-covering from it too. "Look, this vulnerability was so hard to spot that even these very professional security auditors missed it 8 years in a row!"
