Google to pay up to $1.5 million for zero-click Pixel Titan M exploits
Google has revised its Android and Chrome Vulnerability Reward Programs (VRPs), which pay security researchers to report vulnerabilities in Android, Google hardware, and the Chrome browser. The update raises top bounties to $1.5 million and adjusts rewards for lower-complexity reports.
The program targets vulnerability classes that automated tools struggle to detect and prioritizes researcher-driven findings.
The maximum reward of $1.5 million applies to a zero-click, full-chain compromise of Pixel devices targeting the Titan M2 security chip with persistence. The same exploit chain without persistence is eligible for up to $750,000.
Full-chain Chrome browser process exploits affecting the latest operating systems and hardware can earn up to $250,000, with an additional bonus of up to $250,128 for exploiting an allocation protected by MiraclePtr.
“We are revising our program scope to emphasize categories that represent the highest risk to our users,” Google said. “We are also prioritizing categories that remain more challenging for automated AI tooling to find.”
Key changes to Google’s VRPs
Google is deprioritizing Linux kernel vulnerabilities in Google-maintained components unless there is proof of exploitability on Android or Google devices. Submissions that include patch proposals will receive additional incentives.
“While AI has made it easier to produce lengthy, detailed write-ups, our internal tooling has also evolved to help us automatically explain and suggest fixes for bugs,” the company added.
Google is discontinuing additional rewards for renderer remote code execution (RCE) and arbitrary read/write vulnerabilities. These bonuses were introduced to encourage submissions and confirm exploitability. Rewards will now focus on more complex vulnerability classes.
The company is updating its testing infrastructure, with new Chrome builds for researchers designed to demonstrate memory access and information leak issues. Guidance on their use will be added to the VRP FAQ.