Security & Infrastructure Tools
Google now offers up to $1.5 million for some Android exploits
Google is overhauling its Android and Chrome vulnerability rewards, offering up to $1.5 million for the hardest Android exploits (zero-click Pixel Titan M2 full-chain with persistence) and up to $750,000 without persistence, while Chrome rewards reach $250,000 plus a $250,128 bonus for MiraclePtr-protected memory. The program shifts toward concise, AI-friendly reports and focuses Android research on Linux-kernel vulnerabilities in Google-maintained components. Google notes a record $17.1 million paid in 2025 to 747 researchers, bringing total payouts since 2010 to $81.6 million, with 2026 payouts expected to rise. The Autonomous Validation Summit is scheduled for May 12–14, 2026.
Google Expands Android and Chrome Vulnerability Rewards
OverviewGoogle has overhauled its vulnerability rewards programs for Android and Chrome, introducing tougher bounties for the most difficult exploits while scaling back payouts for flaws that AI has made easier to discover. The centerpiece remains a top prize of up to $1.5 million for zero-click exploits targeting the Pixel Titan M2 security chip with full-chain persistence. The same class of exploits without persistence can earn up to $750,000. In parallel, Chrome rewards have been updated to reflect the AI era, with significant payouts for sophisticated browser-process exploits on current systems and hardware, plus a special bonus for memory protections.
Android program: new prize tiers and scope
- Zero-click Pixel Titan M2 full-chain exploits with persistence: up to $1.5 million.
- Zero-click Pixel Titan M2 exploits without persistence: up to $750,000.
- The Android program focuses on Android devices and Google-maintained components, with a narrowed emphasis on Linux kernel vulnerabilities within those components.
- Researchers can earn the higher rewards by demonstrating concrete exploitability on Android devices, not just theoretical weaknesses.
- For researchers who demonstrate practical chains that persist across the full stack, the higher-tier rewards apply; otherwise, the standard tiers are in play.
Chrome program: rewards and a new memory protection bonus
- Full-chain browser process exploits on up-to-date operating systems and hardware: up to $250,000.
- An additional bonus of $250,128 is available for successfully exploiting MiraclePtr-protected memory allocations.
- Google’s revised policy for Chrome emphasizes concise reports containing bug proofs and essential artifacts, rather than lengthy narrative analyses that AI can generate automatically.
AI, reporting, and internal tooling
- Despite AI’s capacity to generate lengthy reports, Google’s security teams have developed internal tooling to automatically explain bugs and propose fixes.
- The company says this evolution supports faster triage and remediation while maintaining high-quality disclosures and reproducible exploit reproductions when needed.
Historical context: payouts and program momentum
- The changes come after a record year in 2025, when Google paid out about $17.1 million to 747 researchers, marking a more than 40 percent increase from 2024 and an all-time high for the program.
- Since the program began in 2010, total payouts have surpassed $81.6 million, reflecting a long-running commitment to vulnerability disclosure.
- Google anticipates that total aggregate rewards paid in 2026 will continue to rise, even as certain individual reward levels are adjusted downward in the AI era, underscoring a strategic shift to reward the most impactful exploits.
Context and forward-looking notes
- The restructuring aligns with ongoing collaboration with the research community to uncover highly impactful vulnerabilities, while focusing on the most technically demanding attack scenarios.
- Google emphasizes that the highest tiers of rewards will continue to be emphasized across both Android and Chrome, reinforcing the goal of closing critical attack paths with rapid, well-supported remediation.
Industry implications: a landscape driven by high-stakes security research
- The updated reward framework highlights the increasing complexity of modern exploitation chains and the corresponding need for rigorous, reproducible disclosures.
- By prioritizing full-chain exploits with persistence for the most valuable prizes, Google signals a preference for research that demonstrates real-world impact and durability across the full stack.
- The shift toward concise, artifact-focused reports reflects a broader trend in security research toward efficient, verifiable submissions that can be worked into fixes and mitigations without reliance on lengthy narrative analysis produced by automated tools.
Upcoming events and demonstrations
- An Autonomous Validation Summit is scheduled for May 12–14, where analysts will showcase autonomous, context-rich validation techniques that identify what’s exploitable, verify controls, and close remediation loops.
- The event promises practical demonstrations of validation pipelines and remediation workflows in the AI era, illustrating how researchers and vendors can collaborate to strengthen defenses.
Final takeaways
- Google’s updated vulnerability reward programs mark a landmark alignment with AI-enabled research while maintaining a strong emphasis on high-impact exploits that affect Android devices and Chrome across real-world environments.
- The top prizes remain highly aggressive for zero-click, persistence-enabled exploits, signaling continued incentives for researchers to pursue the most challenging security breakthroughs.
- As the landscape evolves, the balance between thorough, reproducible proofs and concise, artifact-driven reports will shape how researchers approach vulnerability discovery and disclosure in 2026 and beyond.
