Google has revised its Vulnerability Reward Programs (VRP) for Chrome and Android, adjusting payouts in response to the increasing use of AI tools in vulnerability discovery. Notably, maximum rewards for certain Android vulnerabilities have seen significant increases, from $1 million to $1.5 million for zero-click exploits, while Chrome payouts have dropped substantially, with some rewards now being ten times smaller. This shift reflects Google’s focus on prioritizing vulnerabilities that are harder for AI to identify and incentivizing security researchers to provide concrete proof and actionable reports, as the rise of AI-assisted submissions has strained the review processes across the industry.

Google: Google is a technology company that develops the Chrome web browser and Android operating system, operating dedicated Vulnerability Reward Programs to engage security researchers. Recently, it overhauled its Chrome and Android VRPs to counter the rise in AI-assisted submissions by boosting rewards for high-impact Android flaws difficult for AI detection and reducing standard Chrome payouts in favor of concise, reproducible reports. These changes aim to prioritize actionable insights amid evolving vulnerability discovery methods.
Claude Mythos: Claude Mythos is Anthropic’s advanced AI model tailored for cybersecurity, excelling in autonomous vulnerability discovery and exploitation testing. Available in limited preview to partners via initiatives like Project Glasswing, it identifies zero-day flaws in open-source codebases and critical software. Its capabilities have fueled a surge in AI-driven bug reports, influencing adjustments in reward programs like Google’s VRP.
GPT-5.4-Cyber: GPT-5.4-Cyber is OpenAI’s specialized AI variant of GPT-5.4, tuned for defensive cybersecurity tasks with reduced safeguards for legitimate research. Rolled out to vetted security firms and researchers through trusted access programs, it supports vulnerability analysis and ecosystem strengthening. The model contributes to the growing wave of AI-generated submissions overwhelming bug bounty platforms.

Industry Trend: Bug bounty platforms report escalating submission volumes from AI tools, straining review processes and prompting policy shifts.
Program Pauses: HackerOne’s Internet Bug Bounty program paused new vulnerability submissions due to an influx of AI-assisted reports.
AI Tool Restrictions: Advanced models like Claude Mythos and GPT-5.4-Cyber are limited to preview access for select security partners to prevent misuse.