Google is changing its Android and Chrome vulnerability reward programs, increasing payouts for the hardest-to-exploit bugs while lowering rewards for issues that artificial intelligence has made easier to discover.
The highest payout is now $1.5 million for zero-click Pixel Titan M2 security chip full-chain exploits that include persistence, which is the most difficult attack path in the program. The same class of exploit without persistence can still earn up to $750,000.
In the Chrome program, full-chain browser process exploits on fully updated operating systems and hardware are now worth up to $250,000. Researchers can also receive an extra $250,128 bonus for exploiting memory allocations protected by MiraclePtr.
Google said that some of the most impactful exploits are still extremely difficult to pull off, and the company wants to continue rewarding that kind of research at the highest level.
For Chrome, Google is putting more emphasis on short reports that include only proof-of-concept code and the essential artifacts, instead of long written analyses that AI tools can now generate automatically.
The Android program is also narrowing its focus to Linux kernel issues in Google-maintained components, unless researchers can show real exploitability on Android devices.
Google said AI can now make it easy to produce long, detailed write-ups, while its own internal tools have improved enough to automatically explain bugs and suggest fixes.
The changes come after a record year for Google’s bug bounty program. In 2025, the company paid $17.1 million to 747 researchers, which was more than 40% higher than 2024 and the highest total to date.
Since the program began in 2010, Google has paid more than $81.6 million in rewards. The company expects total payouts in 2026 to rise again, even with lower rewards for some individual issues.
