Google has officially launched a dedicated AI Vulnerability Reward Program, offering security researchers up to $30,000 for discovering critical flaws in its artificial intelligence systems. The program specifically targets “rogue actions” that could allow attackers to manipulate AI systems into performing unauthorized tasks, from unlocking smart home devices to exfiltrating sensitive user data.
Targeting High-Impact AI Exploits
The new program prioritizes vulnerabilities that demonstrate real-world harm potential, moving beyond simple AI “jailbreaks” that generate inappropriate content. Google’s qualifying bug categories include sophisticated attack scenarios such as indirect prompt injections that could cause Google Home to unlock doors, or data exfiltration prompts that summarize users’ emails and send summaries to attackers.
Rogue actions represent the highest-tier threats in Google’s classification system. These involve modifying user accounts or data to compromise security or perform unwanted actions. A notable example previously exposed demonstrated how poisoned Google Calendar events could open smart shutters and turn off lights through AI manipulation.
The reward structure reflects the severity and target of discovered vulnerabilities. Google’s flagship products – Search, Gemini Apps, and core Workspace applications like Gmail and Drive – qualify for the maximum $20,000 base reward. Quality multipliers and novelty bonuses can push total payouts to $30,000. Lower-tier products such as Jules or NotebookLM, and less severe exploits like stealing secret model parameters, receive reduced payouts.
Two Years of AI Security Investment
Google’s commitment to AI security has already generated substantial results. Since the company began formally inviting AI researchers to identify vulnerabilities in 2023, bug hunters have accumulated over $430,000 in rewards across various programs. The 2024 retrospective revealed that Google received over 150 AI-related bug reports and distributed more than $55,000 specifically through AI security programs.
This represents part of Google’s broader $11.8 million vulnerability reward payout in 2024, distributed to 660 researchers across all security programs. The company has now awarded over $65 million in total bug bounty rewards since establishing its first program in 2010.
Beyond Simple Content Violations
Google has drawn clear distinctions between qualifying security vulnerabilities and content policy violations. Simply causing Gemini to hallucinate or generate inappropriate content does not qualify for rewards under the new program. Instead, the company directs such issues to internal feedback channels where AI safety teams can “diagnose the model’s behavior and implement necessary long-term, model-wide safety training“.
Security researchers have already demonstrated the sophisticated nature of qualifying AI vulnerabilities. Recent discoveries include the “Gemini Trifecta” – three vulnerabilities affecting different components of Google’s AI suite that enabled search injection attacks, log-to-prompt injections, and data exfiltration through browsing tools. These examples illustrate how AI systems can be manipulated through indirect prompt injections embedded in web content or system logs.
CodeMender: Automated Defense Initiative
Alongside the vulnerability program, Google introduced CodeMender, an AI-powered agent that automatically patches security flaws in software code. The system has already contributed 72 security fixes to open-source projects over six months, including work on codebases spanning over 4.5 million lines of code.
CodeMender operates using Google’s Gemini Deep Think models to analyze vulnerabilities through advanced techniques like fuzzing and theorem proving. The system includes specialized “critique” agents that act as automated peer reviewers, checking patches for correctness before human approval. This proactive approach addresses a growing bottleneck as AI-powered vulnerability discovery outpaces human developers’ ability to implement fixes.
Industry Context and Verification
Multiple cybersecurity firms and researchers have validated Google’s approach. Tenable Research independently discovered and reported Gemini vulnerabilities that demonstrated real-world exploitation potential. The company’s findings confirmed that AI systems present unique attack surfaces requiring specialized security testing beyond traditional methods.
The AI cybersecurity market reflects growing industry investment, with valuations reaching $22.4 billion in 2023 and projected growth to $60.6 billion by 2028. Organizations using AI-powered security tools report average savings of $1.76 million compared to those without such systems, while 69% of organizations indicate they cannot respond to cyber threats without AI assistance.
Program Structure and Reporting
The dedicated AI VRP consolidates previously fragmented reporting processes across Google’s various AI products and services. Researchers can submit findings through Google’s established Bug Hunters platform at bughunters.google.com. The program follows coordinated vulnerability disclosure principles, with Google adhering to 90-day disclosure deadlines for reported security issues.
The scope explicitly covers traditional security vulnerabilities adapted for AI systems, including prompt injection attacks that affect user accounts or assets, training data extraction that reveals sensitive information, and model manipulation that enables fraudulent operations. However, the program excludes issues related to copyright infringement or extraction of non-sensitive public information.
Google’s AI Red Team, established to identify common attack vectors against AI systems, provides the foundation for qualifying vulnerability categories. The team’s research into tactics, techniques, and procedures used by real-world adversaries helps establish realistic threat models for the bug bounty program.
This launch represents Google’s most comprehensive approach to AI security, building on two years of experience with AI vulnerability research while establishing clear frameworks for future discoveries. The program aims to incentivize broader security community participation in identifying AI-specific threats before they can be exploited maliciously.
