Google will pay you $1.5M if you can hack Pixel’s Titan M2 chip

Source: Android Authority

Joe Maring / Android Authority

TL;DR

• Google is now offering up to $1.5 million for advanced zero‑click Pixel hacks targeting the Titan M2 security chip.
• Payouts for basic Android and Chrome vulnerabilities are being reduced, and several bonus categories are being removed.
• Researchers can still earn up to $250,000 for full‑chain Chrome exploits, and the MiraclePtr bonus remains unchanged.

Android Bounty Update

Google has revised its Android Vulnerability Reward Program (VRP). The key changes are:

• Up to $1.5 million for advanced, persistent Android exploits (previously $1 million).
• This includes zero‑click attacks on Pixel devices that use the Titan M security chips.
• A non‑persistent version of the same exploit is rewarded with $750,000.

The new structure shifts focus away from lower‑impact reports toward complex bugs that could have a serious effect on users.

Chrome Bounty Changes

While Android rewards are increasing, Chrome’s program is moving in the opposite direction:

• Certain Chrome reward payouts are being lowered, and bonus categories such as renderer RCE or arbitrary read/write are being removed.
• Google cites the rise of AI‑generated vulnerability reports, which have made these types of findings “almost routine.”
• To still enable researchers to demonstrate arbitrary read/write in privileged processes, Google is releasing special Chrome builds.

Despite the cuts, the program still offers:

• Up to $250,000 for full‑chain browser‑process exploits on the latest operating systems and hardware.
• The well‑known $250,128 MiraclePtr bonus remains available.

Google notes that the total reward pool for 2026 will increase overall, even though individual payouts for simpler bugs are decreasing.

AI‑Focused Bug Bounty Program

In 2025 Google launched a dedicated AI bug bounty program covering products such as Gemini, Google Search, and Workspace AI tools. Highlights:

• Rewards of up to $30,000 for serious AI‑related vulnerabilities (e.g., prompt injection, unauthorized actions, data exfiltration).
• The program reflects Google’s view that AI tools make it easier to discover simple bugs, so the emphasis is now on rewarding more technically demanding findings that pose real‑world risk.
• Researchers are encouraged to submit fixes along with their reports, not just proof of concept.

Summary

Google’s updated VRP aims to align incentives with the evolving security landscape:

• High‑impact, complex exploits (especially those involving the Titan M2 chip) receive substantially larger rewards.
• Simpler, routine bugs see reduced payouts and fewer bonus categories, largely due to AI‑assisted discovery.
• The Chrome and AI programs retain significant incentives for high‑value research while encouraging responsible disclosure and remediation.