Overview
- Google announced Tuesday a revamped Vulnerability Reward Program that pays up to $1.5 million for a zero-click, full-chain Pixel exploit that compromises the Titan M2 security chip with persistence, with $750,000 for the same chain without persistence.
- For Chrome, full-chain exploits on current systems now earn up to $250,000, with an added $250,128 bonus for breaking MiraclePtr, a defense that hardens memory pointer allocations.
- Android’s scope now centers on Linux kernel bugs in Google‑maintained components unless researchers can show a concrete, working exploit on an Android device.
- Google is shifting Chrome submissions to concise, artifact‑first reports and will offer extra incentives when researchers include patch proposals that fix the issue.
- The company ended extra bonuses for renderer remote code execution and arbitrary read/write bugs, introduced new Chrome research builds to demonstrate memory and data leaks, and said overall 2026 payouts could grow after paying $17.1 million to 747 researchers in 2025.