Google has overhauled its Vulnerability Reward Programs (VRP) for Android and Chrome, reshaping how it incentivizes external security researchers to find and disclose security flaws in its products. The most headline-grabbing change is a dramatic increase in the top Android bounty: a zero-click full-chain exploit targeting the Pixel’s Titan M2 security chip with persistence now pays up to $1.5 million, up from $1 million, while the same exploit without persistence earns $750,000. Shailesh Saini, Alex Gough, and Tony Mendez from Google said in a joint announcement, “We know that certain particularly impactful exploits remain incredibly difficult to achieve,” explaining the rationale behind maintaining and expanding top-tier rewards.
The overhaul is driven largely by the rise of AI tools, which have accelerated vulnerability discovery to the point where Google is now being flooded with low-quality, AI-generated submissions that strain its security teams. In response, Google stated that it wants researchers to shift toward concise, verifiable reports: “we are shifting our program’s focus to prioritize concrete proof that a bug exists.” Reflecting this quality-over-quantity philosophy, Chrome bounties are actually being reduced across most standard categories, since AI has made many routine exploit demonstrations far easier to produce. Despite lower individual payouts in some areas, Google expects its total rewards paid in 2026 to exceed the record $17.1 million distributed in 2025. The changes signal a broader industry reckoning with AI’s double-edged role in cybersecurity — accelerating both the discovery of genuine vulnerabilities and the generation of noise that makes managing security programs increasingly complex.
Read more about it here.