Google Revamps Bug Bounty Programs: Android Rewards Rise, Chrome Payouts Drop in the Age of AI
May 03, 2026 
Google revamps bug bounties: Android rewards rise to $1.5M, Chrome payouts drop, shifting focus to high-impact, AI-resistant vulnerabilities.
Google has announced a major overhaul of its Vulnerability Reward Programs (VRP) for Android and Chrome, marking a strategic shift in how the company approaches cybersecurity. The update comes as artificial intelligence tools are reshaping the field of vulnerability discovery, transforming both the speed and nature of security research.
Over the past few years, generative AI systems have revolutionized bug hunting. Advanced tools, some still limited in availability, like Claude Mythos or GPT 5.4 Cyber, can automate large portions of code analysis and exploit development. Even widely available AI models have led to a surge in vulnerability submissions, though not all of them are useful or reproducible.
Google says these changes made it necessary to evolve its bounty programs, moving away from a focus on quantity toward quality and user impact.
“Over the past few years, AI and automation have accelerated the pace of vulnerability discovery, and our teams are moving at an unprecedented rate – remediating risks more effectively than ever before. The latest advancements in AI from Google and the broader industry have made it significantly easier to take a test case and explain the root cause, propose a suitable fix, and to find variants of known problems.” reads the announcement. “And to keep pace with vulnerability discovery, we’ve been continuing to implement structural improvements in our products to make it increasingly difficult to achieve full chain exploits. “
The new goal is to incentivize actionable reports, vulnerability submissions that include concrete proof, feasible exploit demonstrations, and ideally, suggested fixes.
The Android and Google Devices VRP sees the most dramatic updates. The program now prioritizes vulnerabilities with high user impact and those that remain difficult for AI tools to detect automatically.
The top reward for a zero-click exploit targeting the Pixel’s Titan M security chip with persistence has increased from $1 million to $1.5 million. For exploits without persistence, the reward rises from $500,000 to $750,000. Additionally, successful secure element data exfiltration can now earn up to $375,000, up from $250,000.
Google is also putting more emphasis on complete, proof-of-concept submissions and proposed patches. Reports accompanied by practical solutions or fixes will be strongly incentivized. At the same time, the company is narrowing its focus on vulnerabilities affecting Google-maintained components, rather than the Linux kernel as a whole, unless a vulnerability can be proven exploitable on Android or Google devices.
For Chrome, Google is taking the opposite route, standard payouts are decreasing across most categories. The rationale is that while AI tools can easily produce long, detailed write-ups, Google now values concise, verifiable reports that demonstrate a reproducible problem rather than just describing it.
The base reward for memory safety issues is now $500, with multipliers applied for factors like reachability and exploitability. The company has also phased out the bonuses introduced in 2025 for arbitrary read/write and remote code execution vulnerabilities, citing an overwhelming influx of AI-generated reports.
That said, a full-chain Chrome exploit remains highly lucrative, worth up to $250,000, with an additional $250,000 bonus for bypassing Google’s MiraclePtr protections. Google also plans to release special Chrome builds to help researchers reproduce complex issues such as memory leaks or arbitrary memory access.
“While AI has made it effortless to produce lengthy, detailed write-ups, our internal tooling has also evolved to help us automatically explain and suggest fixes for bugs. Moving forward, we are shifting our program’s focus to prioritize concrete proof that a bug exists.” continues the annoucement. “We now consider the most effective reports to be concise, containing only a reproducer and the necessary artifacts to help us validate and route the issue.”
Although some individual payouts have decreased, Google expects to increase its total rewards in 2026, following a record-breaking $17.1 million paid out in 2025. The company emphasizes that the move is not about cost-cutting but about optimizing value and efficiency in vulnerability research.
Other major security organizations are facing the same reality. The Internet Bug Bounty (IBB) program recently paused new submissions due to an overwhelming number of AI-generated reports. The challenge is no longer just finding bugs, it’s handling the flood of data and distinguishing meaningful discoveries from AI-generated noise.
Google is taking a balanced approach to AI in cybersecurity, not resisting it but shaping how it’s used. While AI can quickly find vulnerabilities, it can also overwhelm teams with low-value reports. By updating its bug bounty programs, Google aims to reward quality over quantity and encourage human insight. This strategy could influence how other tech companies adapt their security programs in an AI-driven landscape.
“long with these changes, we will be reducing some of our reward amounts and bonuses across Android and Chrome. While these adjustments may reduce the payout for a single bug report, we continue to prioritize our VRPs and the total aggregate rewards paid out in 2026 is expected to increase.” concludes the annoucement. “The new values and reward categories are now live on our Android and Chrome rules pages. We’ll continue to evaluate and refine our VRPs to ensure they remain the industry standard for security research.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Google Bug Bounty)
