Google Ups Android Exploit Bounties to $1.5M
Google announced a major overhaul of its Android and Chrome vulnerability reward programs, raising the maximum payout to $1.5 million for the most sophisticated exploit chains targeting Android devices. The revised Android Security Rewards (ASR) program introduces a new top‑tier bounty that rewards researchers who demonstrate a full remote‑code‑execution chain, from a malicious app to a privileged system service, while also covering baseband and kernel vulnerabilities that enable device compromise.
In addition to the record‑high reward, Google has restructured the payout tiers to incentivize high‑impact findings. Critical categories such as privilege escalation on the Android framework, Chrome’s V8 engine, and Android’s trusted execution environment now earn up to $500,000, up from previous caps. Conversely, payouts for lower‑severity flaws and for reports that rely heavily on AI‑generated proof‑of‑concept code have been reduced, reflecting the program’s focus on human‑driven research and the increasing difficulty of the remaining vulnerabilities.
The changes also extend the Chrome Vulnerability Rewards Program to include ChromeOS, rewarding successful exploitation of the operating system’s sandbox and driver components. Researchers can now earn additional bonuses for publishing detailed write‑ups and proof‑of‑concept code that aid the broader security community. Google expects the higher bounties to attract top‑tier talent and accelerate the discovery of vulnerabilities before they can be weaponized in the wild.
The revised reward structure aligns Google with the growing market for zero‑day exploits, where sophisticated chains can command premium prices on the gray‑market. By offering up to $1.5 million, the company aims to keep valuable research within its responsible disclosure framework, ensuring that critical flaws are patched promptly rather than sold to malicious actors. The new program takes effect immediately, and researchers can submit findings through the standard Google VRP portal.