Google has overhauled its Vulnerability Reward Packages (VRP) for Chrome and Android in response to a surge in the usage of AI instruments for vulnerability discovery.
Within the case of the Android and Google Units VRP, Google is now specializing in vulnerabilities with the best consumer influence, and is prioritizing flaw classes which might be tougher for AI instruments to seek out.
The tech big additionally introduced incentivizing actionable experiences, explaining, “We’re shifting our program concentrate on Linux kernel vulnerabilities to Google-maintained parts except there may be concrete proof of exploitability on Android or our units. For many vulnerabilities we will even be strongly incentivizing experiences to comprise proposed patches for addressing the underlying situation.”
By way of the reward quantities, the utmost payouts have elevated significantly, from $1 million to $1.5 million for zero-click Pixel Titan M exploits with persistence, and from $500,000 to $750,000 for exploits with out persistence. Safe ingredient knowledge exfiltration is now value as much as $375,000, from $250,000.
For Chrome vulnerabilities, however, commonplace payout quantities have dropped considerably as the corporate is shifting focus to actionable experiences.
“Whereas AI has made it easy to provide prolonged, detailed write-ups, our inner tooling has additionally developed to assist us mechanically clarify and counsel fixes for bugs,” Google defined. “Shifting ahead, we’re shifting our program’s focus to prioritize concrete proof {that a} bug exists. We now contemplate the simplest experiences to be concise, containing solely a reproducer and the mandatory artifacts to assist us validate and route the problem.”
Particularly, the bottom reward for reminiscence issues of safety is now $500, with multipliers for components equivalent to reachability and the extent of exploitability. Safety researchers identified that some Chrome bug rewards at the moment are 10 occasions smaller than earlier than.
The corporate additionally introduced phasing out bonuses launched final yr for arbitrary learn/write and distant code execution vulnerabilities following a surge in AI-driven submissions.
Google additionally plans to launch particular Chrome configurations designed for security researchers to show arbitrary learn/write and memory-leak points.
It’s value noting {that a} full-chain Chrome exploit continues to be value as much as $250,000, with the identical quantity supplied as a bonus for a MiraclePtr bypass.
Whereas particular person bug payouts might drop, Google expects to extend its complete mixture rewards for 2026 after paying a record-high $17.1 million in 2025.
The adjustments introduced by Google aren’t shocking. Superior AI instruments equivalent to Anthropic’s Claude Mythos and OpenAI’s GPT‑5.4‑Cyber are bringing important adjustments to the vulnerability discovery panorama.
Whereas Mythos and GPT‑5.4‑Cyber presently have restricted availability to stop abuse, even broadly out there instruments have led to a surge in AI-based vulnerability experiences, leaving some organizations overwhelmed by these submissions.
The Web Bug Bounty (IBB) program just lately paused accepting new vulnerability experiences because of an inflow of AI-assisted security analysis, and plenty of different organizations have complained concerning the influence of AI instruments, which create a big imbalance between the amount of submissions and the flexibility to handle vulnerabilities.
