On Monday, Google formalized something security researchers have been nudging the company toward for years: a bounty program specifically tuned to the kinds of vulnerabilities that come with generative AI. The top prize for the riskiest, most novel exploits is $30,000, and the company is now explicitly rewarding work that shows how an AI system can be tricked into taking real-world actions — the sort of stuff that turns a fuzzy model failure into a real security incident.

Traditional bug bounties pay for things like SQL injection, privilege escalation, or remote code execution. AI systems add a new layer: they can be manipulated by text, images, or inputs that “prompt” the model into doing unintended things. Google’s program emphasizes rogue actions — where an AI is coaxed or tricked into modifying someone’s account, leaking data, or controlling connected devices — over content problems like offensive output or copyright violations. In plain terms, getting Gemini to confidently invent a false fact is poor form, but getting Gemini to open a smart lock or email a sensitive summary to an attacker is prize-worthy.

That distinction matters because the company routes content issues (hate speech, copyright, creative misuse) to in-product feedback so its safety teams can retrain and tune models. The bug bounty, by contrast, is about security and abuse — real threats to people’s accounts, property, and data.

Real examples that make the stakes concrete

The kinds of proof-of-concept exploits Google lists are not theoretical. Researchers have already demonstrated attacks that chain model behavior into physical or account actions: a crafted calendar invite that poisoned Gemini’s context and was able to toggle smart-home devices; prompt-injection attacks that exfiltrate saved content; and scenarios where a generated output sends sensitive summaries to third parties. These are the scenarios Google says it wants external researchers to find and report.

The money — and how it’s structured

Google’s headline numbers are straightforward: top-tier, high-impact bugs on “flagship” products — Search, Gemini Apps, and core Workspace apps like Gmail and Drive — start at a $20,000 base reward. Strong reports can earn multipliers for quality and novelty, pushing the total to $30,000. Less severe issues, or flaws in lower-tier products, carry smaller payments. It’s a tiered approach that tries to match payout to real-world harm and the amount of effort required to exploit something.

It’s worth noting this isn’t Google’s first foray into AI bug payouts: the company has been encouraging AI-related submissions for a couple of years and — by Google’s reckoning — has paid researchers over $430,000 for AI-related findings since it started inviting external teams to probe its systems. The new program refines scope and reward levels rather than starting from scratch.

A side project that’s starting to look useful: CodeMender

Alongside the bounty announcement, Google unveiled an AI agent called CodeMender, which the company says has been used to help patch vulnerable open-source projects — 72 fixes so far, after human vetting. Google pitches CodeMender as a force-multiplier for triaging and fixing supply-chain and open-source issues that contribute to overall AI safety. Whether automated helpers like this will scale responsibly is an open question; for now, Google emphasizes that a human researcher vets anything CodeMender proposes.

What this means for researchers (and for the rest of us)

For security researchers, the message is: if you can demonstrate a reproducible, high-impact chain that uses a model to do something harmful (exfiltrate data, tamper with accounts, operate devices), Google will pay attention — and pay well. For enterprises and everyday users, the announcement is a tacit admission that AI’s surface area for abuse is expanding beyond misleading output into actions that have consequences outside the screen.

That said, the program’s carve-outs are important. Google explicitly says that ordinary content problems — bias, hallucination, foul language, or creative policy violations — belong in product feedback workflows, not the bounty pipeline. That separation helps Google triage what needs model-level safety improvements versus what’s an engineering or infrastructure vulnerability to be patched.

The arms race: incentives, disclosure, and safety

Bounties are an old trick: pay outsiders to find what you might miss internally. Applied to AI, they create incentives to probe emergent behavior and to publish responsible disclosures so fixes can be made before widespread abuse. But money alone doesn’t solve the harder questions about how models are tested, how prompts are sandboxed, or how interconnected systems (think calendar + assistant + smart home) are designed with adversarial thinking baked in.

There’s also the coordination problem: researchers sometimes want credit and publication, companies want quick mitigation, and users want safety. Programs like Google’s aim to square those circles by offering cash and an official reporting channel — with the hope that more eyes will equal fewer surprises.

How to participate

If you’re a researcher with a working exploit or a thoughtful threat model, Google points hunters to its official vulnerability reporting channels and program rules. The company asks for reproducible reports and the usual technical rigor: steps to reproduce, scope, and an explanation of impact. For content-only issues, use in-product feedback instead — those submissions help the safety teams improve the model on a broader scale.

Final take

Google’s move to formalize and sweeten AI-focused bug rewards is both pragmatic and symbolic. Pragmatic because the company can’t secure what it hasn’t tested against a motivated attacker; symbolic because it acknowledges that AI is now part of the attack surface for real-world harms. Paying up to $30,000 isn’t charity — it’s cost-of-doing-business insurance in an era where a poisoned prompt can reach out and touch your front door or your inbox.

If you’re a pen-tester, researcher, or curious hacker, now there’s clearer guidance and clearer money. If you’re a normal person, this should be a small comfort — a signal that someone’s paying attention to the things that could turn clever AI into careless harm.