Skip to main content
CybersecurityHacking

Google Boosts Bounty Payouts for Elusive Android Exploits

Smartphone with blank screen on a neutral surface in a blurred research environment.

Google is now offering up to $1.5 million for the most difficult Android exploits — a deliberate reweighting of bounties that puts the largest prizes on technically extreme scenarios and trims awards for flaws AI has made easier to find.

Pixel Titan M2 zero-click full-chain exploits with persistence

The top bounty — up to $1.5 million — is reserved for "zero-click Pixel Titan M2 security chip full-chain exploits with persistence," the company says, identifying that scenario as the most technically demanding in the program. The same class of full-chain exploit on that chip, but without persistence, is eligible for up to $750,000. Google framed these tiers as an effort to reward the “particularly impactful exploits” that remain "incredibly difficult to achieve" and to continue a partnership with the researcher community to surface them.

Chrome rewards, MiraclePtr bonus, and a move to concise reports

On the Chrome side, Google raised payouts for full-chain browser process exploits on up-to-date operating systems and hardware to as much as $250,000. In addition, researchers who successfully exploit MiraclePtr-protected memory allocations can receive a separate bonus of $250,128. Alongside those dollar figures, Google told researchers it will now prefer concise submissions focused on bug proofs and essential artifacts rather than lengthy written analyses—an explicit response to the company’s assessment that AI makes detailed write-ups easier to generate.

Android program narrows to Linux kernel in Google‑maintained components

The Android rewards program will narrow its scope to Linux kernel vulnerabilities in Google‑maintained components, the company announced, unless researchers can demonstrate "concrete exploitability on Android devices." That change signals a tighter definition of which kernel bugs will qualify by default for Android payouts, shifting emphasis toward bugs Google both owns and can reproduce on handset hardware.

AI reshapes bounty economics and reporting expectations

Google cited AI as a key factor behind the restructuring. "While AI has made it effortless to produce lengthy, detailed write-ups, our internal tooling has also evolved to help us automatically explain and suggest fixes for bugs," the company said. The vendor also noted the security community has recently seen AI chain multiple vulnerabilities into complex aggregates: the report states that AI "chained four zero-days into one exploit that bypassed both renderer and OS sandboxes" and that "a wave of new exploits is coming." Against that backdrop, Google said it wants to "build on this partnership by continuing to emphasize the highest tiers of rewards across both Android and Chrome."

Payouts hit new highs even as some individual awards are reduced

The restructuring follows a record year for Google's bug bounty effort. In 2025 the company paid $17.1 million to 747 researchers, a more than 40 percent increase from 2024 and an all‑time high for annual payouts. Since the program launched in 2010, Google reports total payouts of more than $81.6 million. Despite narrowing some reward categories and lowering certain individual payouts, Google estimates that aggregate rewards paid in 2026 will increase.

What this means for researchers, security teams, and adversaries

  • Researchers: The new top tiers create strong incentives to target hardware-backed, full‑chain exploits—especially zero‑click paths against the Pixel Titan M2 security chip and browser process chains that can defeat MiraclePtr protections. Google’s preference for concise proofs may speed triage for high-value reports but reduce credit for long-form writeups.
  • Security teams and procurement leaders: The emphasis on Google‑maintained Linux kernel components and on demonstrable exploitability on devices narrows the set of vulnerabilities that will produce Android payouts, changing where vendor and third‑party teams may prioritize testing and firmware validation.
  • Adversaries and exploit developers: The report highlights AI-driven chaining of vulnerabilities and warns of a "wave of new exploits"; that combination—greater automation in triage and a financial premium on difficult, persistence-capable exploits—may shift some clandestine efforts toward high‑impact full‑chain scenarios.

Google’s program reset is simultaneously a financial promise and a strategic filter: larger sums for fewer, harder-to-achieve classes of exploit, and lower or narrower awards where AI and internal tooling have reduced manual effort. The company has framed the changes as part of a continued collaboration with outside researchers while flagging both technological shifts (AI-assisted chaining) and programmatic shifts (scope and report format). Whether the new bounty structure will concentrate researcher attention on the top tiers or simply redirect reporting toward more concise proof artifacts is the next test—one that Google’s 2026 payout projections implicitly invite researchers and defenders to watch closely.

Source: BleepingComputer — Google now offers up to $1.5 million for some Android exploits