Google Doubles Rewards for Critical Vulnerabilities in Android and Chrome: Up to €1.5M

Google doubles rewards for the most critical exploits on Android and Chrome

Google has revolutionized its vulnerability reward programs for Android and Chrome, with rewards up to $1.5 million for zero-click exploits on the Pixel security chip Titan M2. This figure represents the maximum cap for full-chain attacks with persistence, while the same exploits without persistence can reach up to $750,000. A significant increase compared to previous versions of the program.

Quick Answer

Google now offers up to $1.5 million for zero-click exploits on Titan M2
Rewards up to $250,000 for full-chain exploits on Chrome with additional bonuses
AI simplifies the discovery of some vulnerabilities, reducing rewards for these cases
Focus on concise reports and Linux kernel vulnerabilities on Android
Record payments in 2025: $17.1 million to 747 researchers

Chrome: doubled rewards for full-chain exploits

For the Chrome browser, Google now offers up to $250,000 for full-chain exploits on updated systems and hardware, with an additional bonus of $250,128 for exploits that bypass the MiraclePtr protection. This technological innovation represents a significant step forward in browser security, encouraging the research of complex and critical vulnerabilities.

The impact of artificial intelligence

The company has reduced rewards for vulnerabilities that AI has made easier to discover. Long and detailed reports automatically generated by AI are now less relevant to the Chrome program, which prefers concise reports with bug proofs and essential artifacts. This change reflects the evolution of Google's automated analysis capabilities.

Android: focus on Linux kernel vulnerabilities

The Android program will primarily focus on Linux kernel vulnerabilities in components maintained by Google, unless researchers demonstrate the concrete exploitability on Android devices. This decision aims to optimize research efforts towards the most critical and relevant vulnerabilities for the Android ecosystem.

Record payments in 2025

2025 has been a record year for Google's bug bounty program, with $17.1 million paid to 747 researchers. This represents a 40% increase compared to 2024 and the highest total payment since the program was launched in 2010. Total payments since the program's launch have exceeded $81.6 million.

Future prospects

Google estimates that aggregate rewards in 2026 will increase despite reductions in some individual rewards. This suggests that the program will continue to grow and evolve, maintaining its commitment to improving the security of its products through collaboration with the researcher community.

AI and the new frontier of exploits

The article also mentions that AI has allowed chaining four zero-days in a single exploit, bypassing both the renderer and operating system sandboxes. This development represents a new frontier in cybersecurity, highlighting the continued importance of vulnerability reward programs to address emerging threats.

Events and conferences

The text refers to an event, the Autonomous Validation Summit, which will take place on May 12 and 14, where the latest innovations in autonomous validation and remediation cycle closure will be discussed. This event represents an opportunity for industry professionals to stay updated on the latest trends and technologies in cybersecurity.

The market context and impact on cybersecurity

The increase in rewards offered by Google reflects a broader trend in the cybersecurity sector, where technology companies are increasingly investing in bug bounty programs to address growing cyber threats. According to a recent report by HackerOne, the global bug bounty market grew by 35% in 2025, with a significant increase in investments by major technology companies.

This trend is in line with the increase in sophisticated cyberattacks, which often exploit zero-day vulnerabilities. A report by Cybersecurity Ventures predicts that economic damages caused by cyberattacks will reach $10.5 trillion by 2025, underscoring the importance of vulnerability reward programs to mitigate these risks.

Practical implications for vulnerability researchers

For vulnerability researchers, the increase in rewards represents a significant opportunity to be compensated for their work. However, Google's focus on concise reports and the reduction of rewards for vulnerabilities that AI has made easier to discover require an adaptation of research methodologies.

Researchers will need to focus on more complex and critical vulnerabilities, such as those involving the Titan M2 security chip or the Linux kernel on Android. This could lead to greater specialization in the sector, with researchers focusing on specific areas of vulnerability.

The importance of collaboration between companies and researchers

Collaboration between technology companies and vulnerability researchers is fundamental to improving product security. Google has emphasized the importance of this partnership, highlighting how the discovery and resolution of complex vulnerabilities is a joint effort.

This collaboration is particularly relevant in the context of exploits that bypass advanced protections such as MiraclePtr. Google's ability to offer significant rewards for these vulnerabilities encourages researchers to dedicate time and resources to discovering critical threats.

The future challenges for cybersecurity

The increasing use of artificial intelligence in vulnerability discovery represents both an opportunity and a challenge for the cybersecurity sector. While AI simplifies the discovery of some vulnerabilities, it also makes it more difficult to distinguish between critical vulnerabilities and those less relevant.

Furthermore, the development of exploits that chain multiple zero-days in a single attack represents a new frontier in cybersecurity. These advanced exploits require a more sophisticated approach by researchers and companies to be identified and mitigated.

The evolution of bug bounty programs

The evolution of Google's bug bounty programs reflects a broader trend towards the adoption of advanced technologies to improve product security. The focus on concise reports and the reduction of rewards for vulnerabilities that AI has made easier to discover indicate a change in how companies evaluate and reward researchers.

This change could lead to greater efficiency in the discovery and resolution of vulnerabilities, but it also requires an adaptation by researchers to maintain their relevance in the sector.

Conclusion and future predictions

The increase in rewards offered by Google for the most critical vulnerabilities on Android and Chrome represents a significant step in the fight against cyber threats. This development underscores the importance of collaboration between companies and researchers to improve the security of technological products.

For the future, it is expected that bug bounty programs will continue to evolve, with increasing attention to complex and critical vulnerabilities. The use of artificial intelligence in vulnerability discovery represents a new frontier, requiring a sophisticated approach by researchers and companies.

Editorial Note and Disclaimer

The guides and content published on GoYou are the result of independent research and analysis activities, for informational, educational, and in-depth purposes.

GoYou does not constitute a journalistic publication nor an editorial product pursuant to Law No. 62/2001 and does not perform real-time information activities.

The GoYou project does not provide professional, technical, legal, or financial advice and disclaims any liability for the improper use of the information published.

In the Crypto sector, every investment involves risks: readers are invited to always inform themselves independently before making any decision.