Google will now pay up to $1.5 million for finding Android and Chrome security bugs, says it has 'greatly appreciated collaborating with the researcher community'

Google’s engineers announced changes to the company’s Android and Chrome vulnerability rewards programs, saying they will now reward up to $1.5 million to anyone who can find a zero-click full chain Pixel Titan M2 compromise with persistence. Those that find the same bug, sans the persistence part, can expect up to $750,000 in rewards.

“We are revising our program scope to emphasize categories that represent the highest risk to our users,” Google said. “We are also prioritizing categories that remain more challenging for automated AI tooling to find to ensure we reward researchers for their unique skills and talents.”

Overhauling the Chrome program

Going forward, the Android program will also be more focused on Linux kernel vulnerabilities in components that Google maintains, with the exception of researchers being able to show the flaws could be exploited on an Android device.

Chrome’s bounty program has also gotten an overhaul. Google is now giving up to $250,000 for full chain browser process exploits on the latest operating systems and hardware, and up to $250,128 bonus for a report that successfully exploits an allocation it believes to be protected by Miracle Ptr.

Google’s bug bounty program has paid out record sums last year, BleepingComputer reports. Apparently, it gave $17.1 million to 747 researchers last year, up more than 40% year-on-year, and hitting an all-time high.

In total, since the program started in 2010, Google has paid out more than $81 million and expects that the total amount for 2026 will be higher despite reducing individual reward amounts.

Via BleepingComputer