Google has launched a new AI Vulnerability Reward Program (AI VRP) offering bounties up to $30,000 for security researchers who uncover high-impact flaws in its AI systems, especially “rogue actions” like prompt injections that can enable unauthorized activity. The company is also unveiling CodeMender, an AI agent that autonomously finds and patches vulnerabilities—routing each proposed fix through “critique” agents and human review before deployment. These announcements come along with updates to its Secure AI Framework 2.0 (SAIF 2.0), which formalizes guardrails for autonomous agents like well-defined human oversight, limited powers, and transparent action plans. Google says it has already awarded over $430,000 in AI-related bug bounties since opening proposals, and the new program streamlines scope and reporting across Google’s AI products. Meanwhile, in the broader bug bounty ecosystem, Google paid nearly $11.8 million in 2024 to researchers through its traditional vulnerability rewards programs.
Sources: C-Sharp Corner, Dark Reading
Key Takeaways
– Google’s new AI VRP sets higher limits (up to $30,000) for serious AI exploits, narrowing focus to system-level “rogue actions” rather than content behavior.
– CodeMender represents a shift toward autonomous defense: it finds, patches, validates, and proposes fixes, but final merge decisions remain human.
– The rollout of SAIF 2.0 alongside the new bounty program and CodeMender signals Google’s effort to embed governance, limits, and auditability into AI agent development.
In-Depth
In the fast-evolving world of AI, Google is trying to stay ahead of the curve by restructuring how it handles security—blurring the lines between offense and defense. The recent unveiling of its AI Vulnerability Reward Program (AI VRP), CodeMender, and Secure AI Framework 2.0 are part of a coordinated push to respond to growing demand for stronger safeguards, especially as models gain more autonomy.
The heart of the announcement is the AI VRP. Whereas Google’s traditional bug bounty programs focus largely on software bugs, memory errors, or platform security flaws, this new program explicitly targets AI system vulnerabilities—particularly ones that enable the model to behave in unintended ways or influence other systems without authorization. Examples include chained prompt injections that trick the model into leaking private data or executing operations like unlocking a smart device. Google is offering base rewards of $20,000 for exploits in flagship AI products (Search, Gemini, Gmail, Drive) with multipliers to raise the payout to $30,000 for novel or high-quality reports. Lesser products and lower severity issues receive tiered lower rewards. By consolidating AI bug reporting under a unified scope, Google aims to avoid confusion about what counts as an exploit versus a content misbehavior.
While bounties generate signals, Google is also pushing a more proactive defense with CodeMender—an AI agent built to autonomously find, propose, and validate patches. It uses reasoning capabilities (supported by Gemini model architectures) to identify root causes of vulnerabilities, propose fixes, and then subject those fixes to validation by “critique” agents—other AIs that check for correctness, side effects, regressions, and compatibility. The tentative patches are then passed along to human engineers for final sign-off before real code merges. This hybrid model aims to accelerate response time while keeping human oversight in critical decisions.
Importantly, CodeMender isn’t just for Google’s internal stack. Google intends for it to assist in open-source ecosystems as well, accelerating patch cycles in widely used libraries. If maintainers begin accepting agent-generated patches, the ripple effects could strengthen defenses across the software supply chain. Still, trust and adoption are nontrivial. Many open-source communities emphasize context, project norms, or architectural constraints that an AI may miss. Whether maintainers accept patches from an AI will depend on quality, auditing visibility, and historical reliability.
To provide guardrails, Google released SAIF 2.0, an update to its Secure AI Framework. The revised framework places greater emphasis on risks posed by autonomous agents—agents that plan, act, and interact across systems. SAIF 2.0 codifies three high-level principles: clearly defined human controllers, strict limitations on agent powers, and transparent observability of agent plans and actions. The framework also includes a risk map cataloging potential threat vectors (prompt injection, tool misuse, cascading exploit chains) and shares this taxonomy with industry collaborators through the Coalition for Secure AI (CoSAI). In effect, Google is trying to bake governance and auditability into the agent design process, not treat them as afterthoughts.
The timing makes sense. With the growth of AI systems capable of acting autonomously—issuing emails, controlling APIs, or managing infrastructure—the attack surface is expanding. Traditional bug bounties are reactive—they reward after a flaw is found. But in high-stakes systems, the window between vulnerability discovery and exploit can be brief. Automating detection and patching compresses that window. Google isn’t alone in pursuing this approach; some competitors and research efforts are exploring AI-assisted remediation, but CodeMender’s full chain (discovery to validated patch) is a bold step.
This strategy also ties into Google’s broader security posture. In 2024, Google paid $11.8 million to bug bounty researchers across its legacy programs, with top-tier rewards for Chrome, Android, and Cloud vulnerabilities. Some of those traditional programs have already incorporated limited AI-relevant issues. The AI VRP builds on that existing structure but sharpens the focus. At the same time, academic research suggests that increasing bounty rewards leads to deeper quality findings. For instance, a recent study on Google’s Vulnerability Rewards Program noted that boosting top-tier payments increased high-value submissions, particularly from veteran researchers as well as new ones.
Still, challenges lie ahead. Automatically generated patches that introduce regressions or conflict with system invariants can cause harm. Ensuring explainability in agent decisions, managing false positives, and maintaining community trust are major hurdles. Even SAIF 2.0’s principles require operational enforcement—governance is an organizational problem, not just a technical one. And adoption beyond Google’s sphere is uncertain: many open-source projects or enterprises will evaluate AI-generated patches cautiously.
But if Google can deliver well-validated patches at scale, while keeping human review and accountability in place, it could tilt the scale in favor of defenders. The combination of stronger incentives (via bounties), automated remediation (via CodeMender), and governance architecture (via SAIF 2.0) signals a more aggressive posture: instead of simply reacting to AI threats, Google is trying to anticipate and shape them. Whether it works in practice depends on adoption, reliability, and the constant pressure from attackers trying to find new loopholes.