GOOGLE has announced a major overhaul of its Vulnerability Reward Programs for Android and Chrome, shifting the emphasis from quantity to quality and real-world impact in the AI era. The Android top reward for a zero-click exploit on the Pixel’s Titan M with persistence has risen to $1.5 million, with exploits lacking persistence paying up to $750,000 and secure element data exfiltration up to $375,000. The programme now prioritises high-impact vulnerabilities and those harder for AI tools to automatically detect.
For Chrome, standard payouts are falling across most categories, as Google seeks concise, verifiable reports rather than lengthy write-ups, though a full-chain Chrome exploit remains worth up to $250,000 plus an extra $250,000 for bypassing MiraclePtr protections. The changes also phase out 2025 bonuses for arbitrary read/write and remote code execution vulnerabilities. Despite some individual payouts decreasing, Google expects total rewards to rise in 2026 following a record $17.1 million paid out in 2025.