That seems to be saying that currently there is no market for website vulnerabilities, but a market for them might develop in the future as memory corruption vulnerabilities disappear due to mitigations.

This Google/Alphabet VRP change I think is pretty much just about website vulnerabilities.

Disclosure: I work at Google but not on the VRP.