Google Overhauls Chrome and Android Bug Bounties as AI Drives 2-to-10x Payout Pressure
Updated
Updated · WIRED · May 25
Google Overhauls Chrome and Android Bug Bounties as AI Drives 2-to-10x Payout Pressure
1 articles · Updated · WIRED · May 25
Summary
Google revamped Chrome and Android vulnerability rewards in late April, cutting payouts for some bug classes while raising others to steer researchers toward harder, higher-impact flaws.
AI-driven bug hunting is flooding disclosure programs with more findings and exploit development, pushing companies toward far higher costs and faster patching; one researcher estimated Google could face 2-to-10x bug payouts this year.
Google researchers this month also reported evidence that cybercriminals used AI to develop a zero-day exploit that bypassed two-factor authentication on an open-source admin platform, underscoring the attacker-side risk.
The surge is straining the wider ecosystem: Curl ended its bounty program in January after AI-generated low-quality reports, while Linux's security mailing list was described last week as nearly unmanageable from duplicate submissions.
Security researchers say the shift may compress the long-standing 90-day disclosure window and force more structural defenses, arguing organizations cannot rely on patching alone as AI accelerates vulnerability discovery.
As AI finds every software flaw, is our reactive 'patch-and-pray' security model officially dead?
In the new 'economic war' of bug hunting, will the best AI win, not the smartest hacker?
Google Slashes Chrome Bug Bounty Rewards by 90% in 2026: AI Flood Forces Overhaul of Vulnerability Reporting
Overview
In 2026, Google launched a major overhaul of its Vulnerability Reward Programs, focusing on concise bug reports that provide concrete proof of issues. Announced on May 1, these changes streamline the reporting process by valuing clear reproducers and essential artifacts over lengthy explanations. The Chrome VRP now sets a $500 base reward for memory safety bugs, with possible increases based on factors like exploitability, but some rewards have dropped by up to ten times. This shift aims to improve efficiency and ensure that only high-quality, actionable reports are prioritized, reflecting Google's updated approach to security research in the AI era.