Google expands binary transparency, $1.5M

Android security usually asks you to trust a signature and move on. But a signature only proves who signed a file — not whether that exact file was the one the company meant to ship. Google is now trying to close that gap from two directions at once. On May 4, it expanded Android Binary Transparency with a public ledger for Google apps, and it separately reworked Android and Chrome bug bounties to pay more for the hardest, highest-impact exploits. (blog.google) ### What is binary transparency? Binary transparency is basically a public receipt system for software. A vendor publishes a cryptographic record of a release into an append-only ledger, and anyone can later check whether the binary on a device matches something that was publicly logged. Google’(blog.google)te of intent. That matters when the bad case is not “unsigned malware,” but “a signed thing that should never have shipped” — like an internal build, a tampered release, or something pushed with a stolen key. (blog.google) ### What changed on Android? Google says its production Android applications released after May 1, 2026 now get corresponding cryptographic entries in that public ledger. The rollout covers Google applications, including Google Play services and standalone Google apps, plus Mainline modules — th(blog.google)lier Pixel System Image Transparency work, but this expands the idea beyond system images into software most Android users actually depend on day to day. (blog.google) ### Why is that a bigger deal than it sounds? Because supply-chain attacks are ugly precisely when nothing looks obviously broken. If an attacker gets a signing key, or an insider ships a build that was never meant for the public, ordinary users and defenders can have a hard time proving that th(blog.google)gle,” you can ask “was this exact build publicly committed as a real production release?” That turns provenance into something outsiders can verify, not just something vendors assert. (blog.google) ### What changed in the bug bounties? Google also revamped its Android and Chrome Vulnerability Reward Programs for what it calls the AI era. The headline number is Android: up to $1.5 million for a zero-click full-chain compromise of a Pixel device that reaches the Titan M2 secure element and p(blog.google)w up to $250,000 for full-chain browser-process exploits on current operating systems and hardware, with an extra bonus path for bypassing MiraclePtr protections. (bughunters.google.com) ### Why bring AI into this? Because AI is changing bug hunting unevenly. Google’s argument is that automation now makes it much easier to explain root causes, suggest fixes, and find variants of known bugs, so low-complexity reports are less scarce than they used to be. The company says(bughunters.google.com)nd attack paths that automated tooling does not surface reliably. The Android rules now explicitly say the program is prioritizing categories that remain harder for AI tooling and that submissions need to show clear user risk with a functional proof of concept. (bughunters.google.com) ### Is Google actually spending more here? Probably yes, even if some lower-tier rewards get squeezed. Google said last month that it paid out over $17 million across its VRPs in 2025 — an all-time high — to more than 700 researchers. So this is not a retreat from bug bounties. It is a rebalance: less emphasis on volume, more on severity, exploit depth, and fixes that matter most to users. (bughunters.google.com) ### So what’s the real throughline? Google is treating software trust as something that should be inspectable at two stages. First, before a binary reaches you, its release should leave a public cryptographic trail. Second, before attackers can abuse the hardest gaps, researchers should have strong incentiv(bughunters.google.com)nd pay heavily to break what still matters. (blog.google) ### Bottom line? The flashy number is $1.5 million. The deeper story is that Google is moving past “trust the signature” toward “verify the release,” while steering bounty money toward the bugs humans still beat machines at finding. (blog.google)