06.05.2026
3 min
155
Google has updated its Android vulnerability bounty program to pay up to $1.5 million for the most sophisticated exploits, as the company relies on researchers to find critical vulnerabilities before attackers do.
Google has changed the way it approaches bounties for finding security vulnerabilities in Android and Chrome. It will give researchers up to $1.5 million dollars for the most complicated exploits, however; it has lowered the payouts for those bugs that have been simplified due to AI.
The largest amount of money is being given for exploiting all parts of an attack chain against the Pixel Titan M2, which is considered the most difficult to exploit as well as having the potential to grant an attacker root level access on a mobile device without requiring user interaction (i.e., no need to press “Save”). Researchers can earn up to $1.5 million for finding such an exploit. The maximum award for an exploit that requires more than just clicking the save button would be $750,000.
Google has also modified the rules for Chrome. For example, researchers who can find a complete exploit chain for hacking into browser processes on a modern system could earn up to $250,000. They could also earn an additional $250,128 for creating an exploit that uses the MiraclePtr memory protection mechanism.
According to Google, these changes are tied to changing their philosophy towards researching.
“We recognize that many very significant advances continue to be extremely difficult to implement,” Google said. “We believe strongly in partnering with the research community to identify and extract them.”
“Likewise, we want to foster this partnership by continuing to place the greatest emphasis on reward levels within both Android and Chrome.”
On top of this, Google is slowly shifting away from rewarding researchers based upon lengthy descriptions of their work. The new Chrome program will be focused upon mature reports with solid evidence and technical documentation – as opposed to abstract or speculative theories. This makes sense, because AI is able to generate detailed reports – which were previously seen as indicative of high-quality research – quickly.
AI was also the impetus behind changes in the Android Bounty Program. According to Google, researchers will be rewarded less frequently for finding Linux kernel vulnerabilities in the Android components supported by Google unless they demonstrate how a bug affects an actual Android device.
As stated earlier, Google has acknowledged the influence of AI on the research space.
“While AI has certainly made it simpler to produce lengthy explanations and descriptions, we’ve developed numerous tools internally to assist us in automatically providing explanations and suggestions for fixes,” the company said.
Google’s Bounty Program Review follows what the company calls a “record breaking” year in which they awarded over $17.1 million to 747 researchers — a number that represents a greater than 40% increase from last years totals and marks the single largest payout ever issued under the program.
Since launching in 2010, Google has paid out over $81.6 million to researchers through its bounty program. Although each researcher may receive smaller payouts today, Google believes that overall payout amounts will rise once again in 2026.
