Google Revises Bug Bounties for Android and Chrome

Class A - Reported facts: Google published a retrospective of its Vulnerability Rewards Program in the VRP 2025 Year in Review blog post, noting the creation of a dedicated AI VRP and reporting that it awarded over $17 million to researchers in 2025. SecurityWeek reports that Google has overhauled the Android and Chrome VRP payout structures as part of a broader response to an increase in AI-assisted vulnerability reports.

Class A - Reported facts: SecurityWeek documents concrete payout changes: maximum rewards for a zero-click Pixel Titan M exploit with persistence rose to $1.5 million (up from $1.0 million), non-persistent exploits to $750,000 (up from $500,000), and secure element data exfiltration up to $375,000 (up from $250,000). For Chrome, SecurityWeek reports that standard base payouts have been reduced, with a cited new base reward for memory safety issues of $500 plus multipliers based on reachability and exploitability; the article also says Google is phasing out certain bonuses introduced last year for arbitrary read/write and remote code execution. SecurityWeek quotes Google saying, "While AI has made it effortless to produce lengthy, detailed write-ups, our internal tooling has also evolved to help us automatically explain and suggest fixes for bugs." SecurityWeek further reports Google will strongly incentivize reports that include proposed patches and says the Android program will emphasize vulnerabilities that are harder for AI tools to find. The company is also reported to focus Linux kernel rewards on Google-maintained components unless there is "concrete proof of exploitability on Android or our devices," per SecurityWeek.

Editorial analysis: Observed patterns in similar programs show that when AI accelerates report volume, platform owners tend to tighten scopes and raise top-tier rewards to favor high-impact, hard-to-automate findings. Security teams and external researchers historically respond to higher top-line payouts by redirecting effort toward complex exploit classes and hardware-rooted issues that require deep expertise and privileged access.

Editorial analysis: For practitioners: the reweighting of incentives favors discovery of device-level and secure element exploits, and places more value on exploitability proof and remediation artifacts. Researchers who invest in demonstrable exploit chains or high-quality patch proposals are likely to see higher awards on Android, while routine memory-safety reports for Chrome may yield smaller base payments unless they include clear reproducers and exploitability evidence.

Editorial analysis: Observers should track whether the changes reduce low-quality, AI-generated submissions and whether the Android payout increases lead to more reports around trusted hardware like Pixel Titan M. Also monitor follow-up Google communications or program pages for the finalized Chrome payout tables and any special competitions or curation that Google may publish to handle AI-driven report scale.

Class A - Reported facts: The VRP 2025 Year in Review blog post is the primary company source for the dedicated AI VRP and the $17 million 2025 payout figure. SecurityWeek is the primary source for the reported Android and Chrome payout adjustments, the quoted Google text about AI-driven write-ups, and the reported policy changes about Linux kernel scope and incentivizing proposed patches.