Google has announced significant changes to its Vulnerability Reward Programs (VRP) for Chrome and Android, responding to the increasing influence of AI in discovering security vulnerabilities. The updates reflect a shift in focus towards vulnerabilities that have a substantial impact on users and those that AI tools struggle to identify.
Android VRP: Increased Focus on High-Impact Vulnerabilities
In the Android and Google Devices VRP, Google is prioritizing vulnerabilities that significantly affect users and are challenging for AI systems to detect. To incentivize more actionable reports, the company is concentrating on flaws within Google-maintained components, requiring concrete evidence of any exploitability on Android devices.
The company has increased the maximum payouts for certain vulnerabilities. For example, zero-click Pixel Titan M exploits with persistence now offer rewards of up to $1.5 million, up from $1 million. Exploits lacking persistence have seen increases from $500,000 to $750,000, while secure element data exfiltration can earn up to $375,000, compared to the previous $250,000.
Chrome VRP: Emphasis on Proof and Conciseness
Conversely, Google has reduced standard payouts for Chrome vulnerabilities, as the company shifts towards reports that provide tangible proof of bugs. Despite AI’s ability to generate extensive write-ups, Google’s internal tools have advanced to automatically explain and propose fixes, leading to a preference for concise reports with necessary validation artifacts.
As a result, the base reward for memory safety issues is now set at $500, subject to multipliers based on factors like reachability and exploitability. Security analysts note that some Chrome bug rewards have decreased by a factor of ten. Additionally, Google is withdrawing bonuses for certain vulnerabilities introduced last year, following a surge in AI-driven submissions.
Addressing the AI-Induced Surge in Vulnerability Reports
Google’s updates are timely, as advanced AI tools like Anthropic’s Claude Mythos and OpenAI’s GPT‑5.4‑Cyber are reshaping the vulnerability discovery landscape. These tools, although currently limited in availability to prevent misuse, have led to an influx of AI-generated vulnerability reports that many organizations struggle to manage.
In response to this surge, some programs, like the Internet Bug Bounty (IBB), have paused accepting new reports. Google anticipates a rise in its total rewards payout for 2026, despite individual bug bounties decreasing, following a record-high $17.1 million paid in 2025.
These strategic adjustments underscore the growing role of AI in cybersecurity and the need for companies to adapt their vulnerability management approaches accordingly.
