Joe Maring/Android Authority
TL;DR
- Google is now offering up to $1.5 million for an advanced zero-click Pixel hack targeting the Titan M2 security chip.
- Meanwhile, Google is cutting payments for basic Android and Chrome vulnerabilities and cutting back on several bonus categories.
- Researchers can still earn up to $250,000 for full-series Chrome exploits, and the MiraclePTR bonus remains untouched.
Google is cutting rewards for simple Android and Chrome exploits, but is offering a massive $1.5 million reward to anyone who can achieve a zero-click, permanent hack of the Pixel’s Titan M2 chip.
Google in a new update to its Android and Chrome Vulnerability Reward Program (VRPs) announced It is reworking payments to focus less on low-impact reports and more on complex bugs that seriously impact users. The changes are already live.
The main news is about Android. Google now offers up to $1.5 million (was previously $1 million) for certain advanced Android exploits, including zero-click attacks on Pixel devices with Titan M security chips. A non-permanent version pays $750,000.
Don’t want to miss the best of Android Authority?
Meanwhile, Chrome is moving in the opposite direction. Google says it’s reducing some Chrome Rewards payouts and cutting bonus categories as AI-generated vulnerability reports become more common. The company still encourages security researchers to submit reports, but now prioritizes concise, reproducible findings with clear evidence of impact over the number of submissions.
Special bonuses for renderer RCE or arbitrary read/write are being removed. Google says AI has made these types of searches “almost routine.” Instead, the team is releasing special Chrome builds so that researchers can perform arbitrary reads/writes to privileged processes.
Google now pays up to $250,000 for a full range browser process exploit on the latest operating systems and hardware. The famous $250,128 MiraclePTR bonus is still available. However, other payouts are decreasing, even though Google says the total reward pool will increase for 2026.
Over the past year, Google has expanded its AI-focused security efforts. In 2025, the company launched a dedicated AI bug bounty program for products like Gemini, Google Search, and Workspace AI tools. Researchers can earn up to $30,000 for finding serious AI-related vulnerabilities, such as instant injection attacks, unauthorized actions, or data exfiltration flaws.
Google says the new VRP structure matches the way vulnerability research is changing. AI tools make it easier to find simple bugs, so Google now wants to reward searches that require more technical skills and that show real-world risk. The company also encourages researchers to submit fixes with their reports, not just provide evidence that a flaw exists.
Thank you for being a part of our community. Please read our comment policy before posting.
