RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: chrome (2 articles)Clear
threat
2026-05-01

Google is paying $1.5 million for a Pixel hack and cutting Chrome rewards because AI is finding bugs faster than humans can submit reports

Google overhauled its Vulnerability Reward Program for Android and Chrome on May 1 in response to AI tools reshaping bug hunting. The maximum Pixel Titan M reward jumped to $1.5 million for a zero-click exploit with persistence. Chrome payouts dropped across categories. Google is rewarding 'actionable reports' with concrete exploits and suggested fixes rather than raw bug volume - a response to AI tools like Anthropic's Mythos and OpenAI's GPT-5.4-Cyber generating more vulnerability reports than security teams can triage. Google paid a record $17.1 million in 2025 (up 40% from 2024) and expects 2026 aggregate rewards to increase further despite per-bug cuts.

googlevrpbug-bountypixel-titan-mandroidchromeai-driven-shiftmythosgpt-5-4-cyberinternet-bug-bounty
Check
If your organization runs a bug bounty program, decide this quarter whether you reward per-finding or per-impact - the AI-generated bug volume is making the per-finding model financially unsustainable.
Affected
Any organization running a vulnerability reward program is facing the same volume problem Google is responding to. Independent security researchers face per-bug payment cuts industry-wide as programs adjust. The Internet Bug Bounty pause is a signal that mid-tier programs without Google's scale will struggle most.
Fix
Restructure bounty programs to reward proof of exploitation (working PoC, demonstrated impact) rather than report volume. Add quality gates: detailed reproduction steps, proposed fixes, impact analysis. Use AI tools defensively to triage incoming reports. For independent researchers: focus on high-value targets where AI struggles (complex multi-step exploits, business logic flaws) rather than competing on volume.
vulnerability
CVE-2026-5281
2026-04-01

Google patches fourth Chrome zero-day of 2026 - WebGPU flaw exploited in the wild (CVE-2026-5281)

Google pushed an emergency Chrome update to fix a use-after-free bug in Dawn, the engine behind Chrome's WebGPU graphics standard. CVE-2026-5281 is already being exploited - an attacker who has compromised the browser's renderer process can use a crafted HTML page to execute arbitrary code, potentially escaping Chrome's sandbox. This is the fourth actively exploited Chrome zero-day in 2026, and the third targeting graphics or rendering subsystems. CISA added it to the KEV catalog with an April 15 deadline.

googlechromewebgpudawnzero-daycisa-kevactively-exploited
Check
Update Chrome immediately on all managed endpoints. Also check Edge, Brave, Opera, and Vivaldi - they share the same Chromium codebase.
Affected
Google Chrome prior to 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux). All Chromium-based browsers are affected.
Fix
Update Chrome to 146.0.7680.177/178. Verify auto-update is enabled and not blocked by group policy. Push updates via enterprise management tools. Apply Chromium-based browser patches from Microsoft, Brave, and others as they release.