Google is paying $1.5 million for a Pixel hack and cutting Chrome rewards because AI is finding bugs faster than humans can submit reports

Google overhauled its Vulnerability Reward Program for Android and Chrome on May 1 in response to AI tools reshaping bug hunting. The maximum Pixel Titan M reward jumped to $1.5 million for a zero-click exploit with persistence. Chrome payouts dropped across categories. Google is rewarding 'actionable reports' with concrete exploits and suggested fixes rather than raw bug volume - a response to AI tools like Anthropic's Mythos and OpenAI's GPT-5.4-Cyber generating more vulnerability reports than security teams can triage. Google paid a record $17.1 million in 2025 (up 40% from 2024) and expects 2026 aggregate rewards to increase further despite per-bug cuts.

Check

If your organization runs a bug bounty program, decide this quarter whether you reward per-finding or per-impact - the AI-generated bug volume is making the per-finding model financially unsustainable.

Affected

Any organization running a vulnerability reward program is facing the same volume problem Google is responding to. Independent security researchers face per-bug payment cuts industry-wide as programs adjust. The Internet Bug Bounty pause is a signal that mid-tier programs without Google's scale will struggle most.

Fix

Restructure bounty programs to reward proof of exploitation (working PoC, demonstrated impact) rather than report volume. Add quality gates: detailed reproduction steps, proposed fixes, impact analysis. Use AI tools defensively to triage incoming reports. For independent researchers: focus on high-value targets where AI struggles (complex multi-step exploits, business logic flaws) rather than competing on volume.