Google has recently announced a major revision of its reward programs dedicated to researchers who identify security vulnerabilities in Android and Chrome.
The updated strategy aims to rewarding high-profile discoveries, offering million-dollar payoffs for the most critical vulnerabilities.
At the same time, there is a downward recalibration for those vulnerabilities that have become easier to discover, a phenomenon mainly due to the rapid diffusion of artificial intelligence.
This decision reflects the aim to maintain an extremely high level of protection, rewarding real technical effort and human ingenuity in the face of ever more complex defensive barriers.
Vulnerabilities in Android and Chrome: record-breaking figures for those who discover them
The top reward reaches an impressive figure of $1.5 million. This amount is reserved for exceptionally challenging attack scenarios, in particular zero-click exploits aimed at the security chip Pixel Titan M2 that manage to maintain persistence in the system.
This is the technically most challenging operation envisaged by the project as a whole. If the same attack is carried out without guaranteeing persistence, the financial reward still reaches $750,000.
Turning to the Chrome side, full process compromises on updated operating systems and hardware can earn you $250,000. This amount can be augmented by an additional $250,128 bonus if the analyst successfully bypasses memory allocations protected by the MiraclePtr technology.
The company emphasised that certain high-impact compromises remain extremely difficult to implement, expressing deep gratitude to independent experts for their valuable investigative work.
The impact of new technologies on disclosures
A crucial aspect of the reorganization concerns the impact of new generative technologies. Regarding Chrome, the current guidelines require essential documentation, focused exclusively on the technical proofs and the fundamental artifacts that demonstrate the true nature of the bug.
The long analytical textual reports lose usefulness, since modern algorithms can now generate them automatically. Additionally, the company’s internal tools have evolved to the point where they can explain and suggest fixes autonomously.
On the mobile front, the focus narrows toward the Linux kernel vulnerabilities in the components directly managed by the company, unless researchers demonstrate a concrete and direct exploitability on physical devices.
Growing investments
The restructuring of the incentive system comes at the end of an unprecedented year. During 2025, $17.1 million were distributed to 747 different professionals. This represents an increase of over 40% compared to 2024, marking the highest level reached to date.
Since the project’s inception in 2010, total disbursements have far surpassed the threshold of $81.6 million.
Despite the reduction of amounts for minor flaws, official estimates for 2026 indicate that total spending on rewards will continue to rise, underscoring the crucial importance of preventive security in the development of modern digital ecosystems.
