Google Adjusts Bug Bounties: Chrome Payouts Drop as Android Rewards Rise Amid AI Surge

Google has overhauled its Vulnerability Reward Programs (VRP) for Chrome and Android in response to a surge in the use of AI tools for vulnerability discovery. In the case of the Android and Google Devices VRP, Google is now focusing on vulnerabilities with the highest user impact, and is prioritizing flaw categories that are more difficult for AI tools to find. The tech giant also announced incentivizing actionable reports, explaining, “We are shifting our program focus on Linux kernel vulnerabilities to Google-maintained components unless there is concrete proof of exploitability on Android or our devices. For most vulnerabilities we will also be strongly incentivizing reports to contain proposed patches for addressing the underlying issue.” In terms of the reward amounts, the maximum payouts have increased considerably, from $1 million to $1.5 million for zero-click Pixel Titan M exploits with persistence, and from $500,000 to $750,000 for exploits without persistence. Secure element data exfiltration is now worth up to $375,000, from $250,000.  New Android VRP payouts Old Android VRP payouts For Chrome vulnerabilities, on the other hand, standard payout amounts have dropped significantly as the company is shifting focus to actionable reports. “While AI has made it effortless to produce lengthy, detailed write-ups, our internal tooling has also evolved to help us automatically explain and suggest fixes for bugs,” Google explained. “Moving forward, we are shifting our program’s focus to prioritize concrete proof that a bug exists. We now consider the most effective reports to be concise, containing only a reproducer and the necessary artifacts to help us validate and route the issue.” Specifically, the base reward for memory safety issues is now $500, with multipliers for factors such as reachability and the level of exploitability. Security researchers pointed out that some Chrome bug rewards are now 10 times smaller than before. New Chrome VRP payouts Old Chrome VRP payouts The company also announced phasing out bonuses introduced last year for arbitrary read/write and remote code execution vulnerabilities following a surge in AI-driven submissions.  Google also plans to release special Chrome configurations designed for security researchers to demonstrate arbitrary read/write and memory-leak issues.   It’s worth noting that a full-chain Chrome exploit is still worth up to $250,000, with the same amount offered as a bonus for a MiraclePtr bypass.  While individual bug payouts may drop, Google expects to increase its total aggregate rewards for 2026 after paying a record-high $17.1 million in 2025.  The changes announced by Google are not surprising. Advanced AI tools such as Anthropic’s Claude Mythos and OpenAI’s GPT‑5.4‑Cyber are bringing significant changes to the vulnerability discovery landscape.  While Mythos and GPT‑5.4‑Cyber currently have limited availability to prevent abuse, even widely available tools have led to a surge in AI-based vulnerability reports, leaving some organizations overwhelmed by these submissions.  The Internet Bug Bounty (IBB) program recently paused accepting new vulnerability reports due to an influx of AI-assisted security research, and many other organizations have complained about the impact of AI tools, which create a significant imbalance between the volume of submissions and the ability to address vulnerabilities.  Related: OpenAI Launches Bug Bounty Program for Abuse and Safety Risks Related: Google Offers Up to $20,000 in New AI Bug Bounty Program WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Critical Gemini CLI Flaw Enabled Host Code Execution, Supply Chain Attacks EnOcean SmartServer Flaws Expose Buildings to Remote Hacking Sandhills Medical Says Ransomware Breach Affects 170,000 Hundreds of Internet-Facing VNC Servers Expose ICS/OT 38 Vulnerabilities Found in OpenEMR Medical Software Critical GitHub Vulnerability Exposed Millions of Repositories Vimeo Confirms User and Customer Data Breach Robinhood Vulnerability Exploited for Phishing Attacks Latest News New Bluekit Phishing Kit Features AI Assistant In Other News: Scattered Spider Hacker Arrested, SOC Effectiveness Metrics, NSA Tool Vulnerability  Two US Security Experts Sentenced to Prison for Helping Ransomware Gang Sophisticated Deep#Door Backdoor Enables Espionage, Disruption Cisco Releases Open Source Tool for AI Model Provenance  Hugging Face, ClawHub Abused for Malware Distribution FBI Warns of Surge in Hacker-Enabled Cargo Theft 1,800 Hit in Mini Shai-Hulud Attack on SAP, Lightning, Intercom Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Chris Sistrunk has been promoted to Practice Leader for Mandiant's OT Security Consulting. Nudge Security has appointed Patrick Dillon as its Chief Revenue Officer. AutoNation has appointed Brian Fricke as Chief Information Security Officer. More People On The Move Expert Insights The Mythos Moment: Enterprises Must Fight Agents With Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense In The Age Of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Email