GOOGLE has overhauled its Vulnerability Reward Programs for Chrome and Android in response to a surge in AI-enabled vulnerability discovery, with Android rewards rising even as Chrome payouts fall. The maximum Android VRP payouts have increased, with zero-click Pixel Titan M exploits with persistence now worth up to $1.5 million, and exploits without persistence up to $750,000; secure element data exfiltration is up to $375,000.
By contrast, Chrome rewards have been trimmed as Google shifts toward actionable reports, and the base memory-safety reward is now $500, subject to multipliers for reachability and exploitability. The company has also phased out bonuses for arbitrary read/write and remote code execution vulnerabilities introduced last year, while planning special Chrome configurations to help researchers demonstrate certain issues.
According to Google explained, the programme is prioritising concise reproducer reports with patches proposed to address the underlying issue, and Google expects to raise total aggregate rewards for 2026 after a record-high $17.1 million paid in 2025.