Joe Maring / Android Authority
TL;DR
- Google is now offering up to $1.5 million for advanced zero-click Pixel hacks targeting the Titan M2 security chip.
- Meanwhile, Google is slashing payouts for basic Android and Chrome vulnerabilities and cutting several bonus categories.
- Researchers can still earn up to $250,000 for full-chain Chrome exploits, and the MiraclePtr bonus remains untouched.
Google is cutting rewards for simple Android and Chrome exploits, but is offering a huge $1.5 million bounty to anyone who can achieve a zero-click, permanent hack of a Pixel’s Titan M2 chip.
In a new update to its Android and Chrome Vulnerability Reward Programs (VRPs), Google announced that it’s reworking payouts to focus less on lower-impact reports and more on complex bugs that could seriously affect users. The changes are already live.
The main news is about Android. Google now offers up to $1.5 million (was $1 million previously) for certain advanced Android exploits that persist, including zero-click attacks on Pixel devices with Titan M security chips. A non-persistent version pays $750,000.
Don’t want to miss the best from Android Authority?
Meanwhile, Chrome is moving in the opposite direction. Google says it is lowering some Chrome reward payouts and cutting bonus categories because AI-generated vulnerability reports are becoming more common. The company still encourages security researchers to submit reports, but now prioritizes concise, reproducible findings with clear proof of impact over the number of submissions.
Special bonuses for renderer RCE or arbitrary read/write are being removed. Google says AI has made these types of finds “almost routine.” Instead, the team is releasing special Chrome builds so researchers can demonstrate arbitrary read/write in privileged processes.
Google now pays up to $250,000 for full chain browser process exploits on the latest operating systems and hardware. The well-known $250,128 MiraclePtr bonus is still available. However, other payouts are decreasing, even though Google says the total reward pool for 2026 will increase.
In the past year, Google has expanded its AI-focused security efforts. In 2025, the company launched a dedicated AI bug bounty program for products like Gemini, Google Search, and Workspace AI tools. Researchers can earn up to $30,000 for finding serious AI-related vulnerabilities, such as prompt injection attacks, unauthorized actions, or data exfiltration flaws.
Google says the new VRP structure matches the way vulnerability research is changing. AI tools make it easier to find simple bugs, so Google now wants to reward discoveries that need more technical skill and show real-world risk. The company also encourages researchers to submit fixes with their reports, not just proof that a flaw exists.
Thank you for being part of our community. Read our Comment Policy before posting.
