Google just launched its first dedicated AI vulnerability reward program, offering up to $30,000 for researchers who uncover security flaws that could turn AI systems into weapons. The move comes as prompt injection attacks threaten to weaponize everything from smart home devices to enterprise email systems, with bug hunters already earning over $430,000 in AI-related bounties over the past two years.
Google is putting serious money behind AI security. The tech giant launched its first dedicated AI vulnerability reward program Monday, offering researchers up to $30,000 for uncovering security flaws that could weaponize artificial intelligence systems. The timing isn't coincidental - as AI systems become more integrated into daily workflows, the attack surface is expanding rapidly.
The program's qualifying vulnerabilities read like a cybersecurity nightmare playbook. Researchers can earn top-tier payouts for discovering "rogue actions" - AI exploits that cause real-world harm. Think prompt injections that trick Google Home into unlocking doors, or malicious prompts that summarize someone's entire email inbox and forward it to an attacker's account.
This isn't Google's first rodeo with AI security bounties. Bug hunters have already pulled in over $430,000 during the two years since the company officially started inviting AI researchers to probe its AI features. But Monday's announcement formalizes what constitutes an AI vulnerability, creating clear categories for researchers who previously navigated murky waters.
The program breaks down AI bugs as issues that exploit large language models or generative AI systems to cause harm or bypass security measures. At the top of the threat hierarchy are "rogue actions" - modifications to user accounts or data that compromise security or trigger unwanted behaviors. One particularly creative example from previous research showed how a poisoned Google Calendar event could manipulate smart home devices, opening shutters and killing lights.
But Google's drawing clear lines about what won't earn bounties. Simply getting Gemini to hallucinate or generate problematic content doesn't qualify. "Issues related to content produced by AI products - such as generating hate speech or copyright-infringing content - should be reported to the feedback channel within the product itself," Google states. The company wants its AI safety teams to "diagnose the model's behavior and implement the necessary long-term, model-wide safety training" rather than patch individual content issues.
The payout structure reflects Google's product priorities. The maximum $20,000 base reward targets "flagship" products including Search, Gemini Apps, and core Workspace applications like Gmail and Drive. Quality multipliers and novelty bonuses can boost that to $30,000 for exceptional discoveries. Lower-tier products like Jules or NotebookLM command smaller bounties, as do less severe vulnerabilities like stealing model parameters.
Alongside the bounty program, Google unveiled CodeMender, an AI agent that automatically patches vulnerable code. The system has already delivered 72 security fixes to open source projects after human verification - a defensive counterpart to the offensive research the bounty program encourages.
The launch signals Google's recognition that AI security requires specialized expertise. Traditional bug bounty programs weren't designed for prompt injection attacks or AI model exploits. By creating dedicated categories and clear reward structures, Google's betting that focused incentives will attract the right researchers to probe AI systems before bad actors do.
Google's dedicated AI vulnerability program represents a maturation of AI security thinking. By offering substantial rewards and clear categories, the company's acknowledging that AI systems create entirely new attack vectors that traditional security research wasn't designed to catch. With $430,000 already paid out and CodeMender patching vulnerabilities simultaneously, Google's building both offensive and defensive AI security capabilities. The question is whether other major AI players will follow suit with similar programs, or if Google's early move gives it a critical advantage in understanding its own AI attack surface.
