Google overhauls its Android and Chrome vulnerability rewards methods, providing bounties of as much as $1.5 million for essentially the most tricky exploits whilst scaling again payouts for flaws that synthetic intelligence (AI) has made more straightforward to seek out.
The highest praise of $1.5 million is reserved for zero-click Pixel Titan M2 safety chip full-chain exploits with endurance, essentially the most technically not easy assault state of affairs in this system, whilst the similar exploits, however with out endurance, also are eligible for as much as $750,000.
At the Google Chrome aspect, full-chain browser procedure exploits on up-to-date working methods and {hardware} now include rewards of up to $250,000, plus an extra $250,128 bonus for effectively exploiting MiraclePtr-protected reminiscence allocations.
“We all know that positive specifically impactful exploits stay extremely tricky to succeed in and we now have very much favored participating with the researcher neighborhood to find and unearth them,” Google mentioned.
“We need to construct in this partnership via proceeding to emphasise the easiest tiers of rewards throughout each Android and Chrome.”
For the Chrome program, Google shifts its center of attention to concise reviews containing simplest worm proofs and very important artifacts, somewhat than long written analyses that AI can now generate robotically.
The Android program will even slender its center of attention to Linux kernel vulnerabilities in Google-maintained parts, until researchers can reveal concrete exploitability on Android gadgets.
“Whilst AI has made it easy to provide long, detailed write-ups, our inside tooling has additionally developed to lend a hand us robotically give an explanation for and recommend fixes for insects,” the corporate added.
This vulnerability rewards program restructuring follows a document yr for Google’s worm bounty effort, with the corporate paying $17.1 million to 747 researchers in 2025, a greater than 40 % build up from 2024 and an all-time prime.
This has introduced the whole payouts for the reason that program introduced in 2010 to greater than $81.6 million, and Google estimates that the whole mixture rewards paid in 2026 will build up regardless of discounts in some person praise quantities.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of latest exploits is coming.
On the Self reliant Validation Summit (Might 12 & 14), see how self sustaining, context-rich validation unearths what is exploitable, proves controls grasp, and closes the remediation loop.
Declare Your Spot
