Google has announced significant changes to its Vulnerability Reward Programs (VRP) for Chrome and Android, adjusting payouts in response to an increase in AI-driven vulnerability reports. The company is now prioritizing vulnerabilities that have a higher user impact and are harder for AI tools to identify, while also incentivizing more actionable reports. Notably, rewards for Android vulnerabilities have increased, with payout ceilings for certain exploits rising from $1 million to $1.5 million. In contrast, Chrome’s payouts have dropped drastically as Google shifts focus away from lengthy submissions generated by AI tools. This decision comes amid a broader industry trend where programs, such as the Internet Bug Bounty, have paused new submissions due to an overwhelming volume of AI-assisted reports.

Google: Google operates Vulnerability Reward Programs for its Chrome browser and Android platform to incentivize security research. In response to a surge in AI-driven vulnerability reports, it recently lowered standard Chrome payouts while raising rewards for high-impact Android flaws that are harder for AI to detect. The changes emphasize concise, reproducible reports with proof of exploitability and proposed patches.
OpenAI: OpenAI builds AI models tailored for cybersecurity through its Trusted Access for Cyber program. GPT-5.4-Cyber enables defenders to scan binaries and fix exploits without source code, with tiered access for verified users. The model’s deployment is amplifying the use of AI in vulnerability discovery, influencing adjustments in programs like Google’s VRP.
Anthropic: Anthropic is an AI safety and research company developing interpretable AI systems like Claude. It launched Claude Mythos Preview, a model that represents a significant advancement in autonomously identifying vulnerabilities in major operating systems and browsers. This capability has contributed to the flood of AI-generated bug submissions prompting Google to revamp its bounty programs.
Claude Mythos: Claude Mythos is Anthropic’s preview frontier AI model specialized in cybersecurity for discovering hidden software vulnerabilities and producing exploits. In closed testing, it has exposed long-standing bugs in critical systems overlooked by traditional researchers. Its power is part of the AI surge causing organizations to adapt their bug bounty processes.
GPT‑5.4‑Cyber: GPT-5.4-Cyber is OpenAI’s fine-tuned AI model for proactive cyber defense, allowing binary scanning and automated vulnerability fixes. Available to verified security teams, it lowers refusals for defenders compared to public versions. It contributes to the influx of AI-assisted reports reshaping vulnerability reward landscapes.
Internet Bug Bounty: Internet Bug Bounty is a HackerOne-operated program serving as a neutral hub for vulnerability disclosures across projects. It recently paused new report intake due to overwhelming AI-generated submissions outpacing patch capabilities. This mirrors challenges faced by Google and others in managing AI-driven security research.

`json
{
“Program Shifts”: “Google is focusing on concrete proof and proposed patches for kernel vulnerabilities in Android while placing less emphasis on detailed AI-generated submissions for Chrome.”,
“AI-Driven Surge”: “Advanced AI tools like Claude Mythos and GPT-5.4-Cyber have overwhelmed bug bounty programs with reports, prompting a shift towards prioritizing actionable and substantiated submissions.”,
“Industry Response”: “The imbalance caused by rapid AI-driven vulnerability reporting has led some programs, including the Internet Bug Bounty, to pause new vulnerability intakes.”
}
`