Google is updating both its Android and Chrome vulnerability reward programs (VRPs), emphasizing higher payouts for the most technically difficult exploit chains while adjusting incentives and reporting requirements.

## What’s changing (as reported)

BleepingComputer highlights several program updates Google described in its VRP blog post:

- **Up to $1.5 million** for a **zero-click Pixel Titan M2 full-chain exploit with persistence**.

- **Up to $750,000** for the same class of exploit **without persistence**.

- In Chrome, **up to $250,000** for full-chain browser process exploits on up-to-date OS/hardware, plus an additional **$250,128 bonus** tied to **MiraclePtr**-protected memory allocations.

## “AI era” adjustments

Google also said it’s shifting process expectations:

- For Chrome, it prefers **concise reports** focusing on proofs and essential artifacts, noting AI can generate lengthy write-ups.

- For Android, it is narrowing focus toward **Linux kernel vulnerabilities in Google-maintained components**, unless exploitability on Android devices is demonstrated.

## Why it matters

- Bigger rewards can attract deeper research into exploit chains that are genuinely hard to build.

- The emphasis on exploitability and concise submissions may speed triage and patch cycles.

- Teams running Android/Chrome at scale benefit when the research ecosystem is incentivized toward impactful bugs.

*Source: BleepingComputer, citing Google’s VRP announcement.*