Google’s Record-Breaking Bug Bounty: A Response to AI-Driven Security Research
Google has made significant changes to its security vulnerability reward programs, setting a new record by raising its top payout to a staggering $1.5 million. This move is largely driven by the increasing influx of AI-generated bug reports, which is inundating the cybersecurity research community.
The tech titan’s revised Android and Chrome Vulnerability Reward Programs (VRPs) now offer up to $1.5 million for a zero-click, full-chain exploit of a Pixel device that targets the Titan M2 security chip with persistence. This is a significant increase from the previous $1 million maximum. A similar exploit without persistence can now earn up to $750,000. Meanwhile, full-chain Chrome browser exploits can yield up to $250,000, with an additional bonus of up to $250,128 for bypassing specific memory protections.
This restructuring is a strategic response to the growing influence of AI in vulnerability discovery. Google is now prioritizing rewards for high-complexity bugs that automated tools struggle to identify, actively discouraging the deluge of low-value, AI-generated submissions that have started to burden review teams across the industry. The Internet Bug Bounty (IBB) program recently halted new submissions entirely due to the sheer volume of AI-assisted reports.
Since Google’s bug bounty program was launched in 2010, it has paid out more than $81 million to security researchers. The company anticipates total aggregate payouts in 2026 to increase even further, despite reductions in some individual reward categories.
Source: TechRadar