Google has updated its Vulnerability Reward Programs (VRPs) for Chrome and Android, reflecting a shift in cybersecurity dynamics driven by the rapid rise of artificial intelligence in vulnerability discovery. The changes signal a strategic realignment in how the company incentivizes security researchers amid evolving threat patterns.
As part of the update, payouts for Chrome-related vulnerabilities have been reduced in certain categories, while rewards for Android and Google device security have been increased. The company is now prioritizing vulnerabilities with the highest real-world impact and those that are more difficult for AI tools to identify, indicating a move toward rewarding deeper, more complex security research.
One of the notable highlights includes a significant increase in rewards for high-severity Android exploits, with payouts reaching up to $1.5 million for advanced attack scenarios such as zero-click exploits targeting Pixel’s Titan M security chip.
Despite lowering some individual Chrome payouts, Google expects its overall bug bounty spending to increase. The company had already reported a record $17.1 million in total rewards distributed in 2025, and anticipates continued growth in 2026 as participation and complexity in vulnerability research rise.
Additionally, Google plans to introduce specialized Chrome configurations to help researchers more effectively identify issues such as memory leaks and arbitrary read/write vulnerabilities. This reflects a broader effort to improve the quality of findings rather than simply increasing the volume of reported bugs.
The overhaul highlights how AI is transforming cybersecurity economics. While AI tools are making it easier to discover common vulnerabilities, companies like Google are shifting incentives toward uncovering sophisticated flaws that require advanced expertise, reinforcing the importance of human-led, high-skill security research in an increasingly automated landscape.
 for Chrome and Android, reflecting a shift in cybersecurity dynamics driven by){kind=link}