Google has restructured its Android and Chrome vulnerability reward programs to prioritize the highest-impact, hardest-to-achieve exploits while reducing payouts for flaws that AI has made easier to find. Top prizes include up to $1.5 million for zero-click Pixel Titan M2 full-chain exploits with persistence and up to $250,000 (plus a $250,128 MiraclePtr bonus) for full-chain Chrome process exploits. #PixelTitanM2 #MiraclePtr
Keypoints
- Google overhauled Android and Chrome bounty programs to reward the most technically demanding exploits while lowering payouts for AI-easier flaws.
- Pixel Titan M2 zero-click full-chain exploits with persistence can earn up to $1.5 million, and up to $750,000 without persistence.
- Chrome full-chain browser process exploits on up-to-date systems are eligible for up to $250,000 plus a $250,128 bonus for exploiting MiraclePtr-protected allocations.
- Chrome reporting now emphasizes concise submissions with proofs and essential artifacts, and Android rewards focus on Linux kernel bugs in Google-maintained components unless exploitability on devices is demonstrated.
- Google paid $17.1 million to 747 researchers in 2025, bringing total payouts since 2010 above $81.6 million and forecasting higher aggregate rewards in 2026.