241/69 Tuesday, May 5, 2026
Google has announced a major overhaul of its Vulnerability Reward Programs (VRP) for both Android and Chrome, adapting to a new era where artificial intelligence plays a significant role in bug discovery. Reports indicate that advanced AI tools-such as GPT-5.4 Cyber-can rapidly analyze code and help generate attack models, leading to a surge in vulnerability submissions. However, many of these reports lack quality or real-world exploitability. As a result, Google is shifting its reward criteria to prioritize quality and real-world impact over sheer volume.
One of the most notable changes is the increase in rewards for Android and Google devices. The maximum payout for exploiting the Titan M security chip via a zero-click attack-where no user interaction is required-has been raised from $1 million to $1.5 million. These vulnerabilities are particularly difficult for AI to detect and pose a high security risk. In contrast, Google has reduced standard rewards for Chrome, citing that AI tools make it easier to produce detailed but low-value reports. The company now emphasizes concise, reproducible reports with clear proof-of-concept (PoC), and gives additional consideration to submissions that include suggested fixes.
Cybersecurity experts note that this move is not about cost-cutting. Google expects total payouts in 2026 to continue rising after reaching a record $17.1 million in 2025. Instead, the change reflects an industry-wide response to the growing challenge of AI-generated vulnerability reports. The issue has become so significant that global initiatives like Internet Bug Bounty (IBB) have temporarily paused report submissions. Google’s new strategy marks a shift toward encouraging researchers to focus on deep, complex vulnerabilities that still require human expertise—areas where AI remains limited.