Google will now pay up to $1.5 million for finding Android and Chrome security bugs, says it has 'greatly appreciated collaborating with the researcher community'

Google is prioritizing bugs that can't be easily found with AI

News By Sead Fadilpašić published 6 May 2026

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter

• Google raised rewards to $1.5m for top‑tier Android exploits, prioritizing risks beyond AI‑detectable flaws
• Chrome’s program now offers up to $250K for full chain browser exploits, plus bonuses for Miracle Ptr bypasses
• The company paid $17.1m to researchers in 2025, with lifetime payouts exceeding $81m since 2010

Google is now offering up to $1.5 million in bounty to whoever can find the biggest, baddest, Android exploits - whereas “lesser” exploits - ones that can be found and reported on with AI, are getting a proportional downgrade.

Google’s engineers announced changes to the company’s Android and Chrome vulnerability rewards programs, saying they will now reward up to $1.5 million to anyone who can find a zero-click full chain Pixel Titan M2 compromise with persistence. Those that find the same bug, sans the persistence part, can expect up to $750,000 in rewards.

“We are revising our program scope to emphasize categories that represent the highest risk to our users,” Google said. “We are also prioritizing categories that remain more challenging for automated AI tooling to find to ensure we reward researchers for their unique skills and talents.”

Article continues below

Overhauling the Chrome program

Going forward, the Android program will also be more focused on Linux kernel vulnerabilities in components that Google maintains, with the exception of researchers being able to show the flaws could be exploited on an Android device.

Chrome’s bounty program has also gotten an overhaul. Google is now giving up to $250,000 for full chain browser process exploits on the latest operating systems and hardware, and up to $250,128 bonus for a report that successfully exploits an allocation it believes to be protected by Miracle Ptr.

Google’s bug bounty program has paid out record sums last year, BleepingComputer reports. Apparently, it gave $17.1 million to 747 researchers last year, up more than 40% year-on-year, and hitting an all-time high.

In total, since the program started in 2010, Google has paid out more than $81 million and expects that the total amount for 2026 will be higher despite reducing individual reward amounts.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors