Google Bug Hunter Claims $500K From AI-Assisted Vulnerability Pipeline

A security researcher says an AI-assisted bug-hunting pipeline helped him collect more than $500,000 in Google bounty payouts in under three months.

The figure has not been confirmed by Google, and it should be treated as a self-reported total from multiple vulnerability reports. For IT and security teams, the case shows how quickly API exposure can become a security problem once automation is layered onto access-control testing.

In its 2025 Vulnerability Reward Program review, Google said it paid $17.1 million across its VRPs, including $350,000 through its dedicated AI VRP and $890,000 in total AI-related payouts. The company’s AI Vulnerability Reward Program rules list rewards of up to $30,000 for qualifying AI security bugs.

Inside the AI-assisted bug-hunting pipeline

The work started with Google “discovery documents,” machine-readable API specifications that list endpoints, parameters, and methods, according to Cyber Kendra’s account of Brutecat’s write-up.

Brutecat said he gathered API keys from more than 60,000 Android APKs and used a Chrome extension to observe network traffic across more than 2,800 Google web domains. Some endpoints appeared only when queried with particular credentials.

The effort produced discovery documents for more than 1,500 APIs, according to the write-up. Brutecat then converted those API definitions into tools an AI model could use to test endpoints for broken access control, including insecure direct object reference flaws, where one user may access or modify another user’s data because authorization checks fail.

The write-up says accuracy improved after the workflow was refined, but it does not define how that rate was calculated.

Reported findings touched Google Voice/Fiber, AdExchange, YouTube, Widevine, Cloud Console, Vertex AI Search for Commerce, and internal Google systems. Publicly described rewards ranged from $12,000 to $30,000 for individual issues.

Why API exposure is the enterprise risk

API visibility is part of the attack surface. Client-side keys embedded in mobile apps or exposed through web traffic may not be stolen credentials, but they can still help outsiders map services an organization did not expect them to enumerate.

The same access-governance problem is surfacing in production AI infrastructure, where exposed gateways can widen the blast radius of service accounts and connectors.

Security teams should review where API keys appear in client-facing code, which APIs are discoverable with those keys, and whether internal or staging endpoints are reachable from credentials distributed in public apps. Recent developer-token exposure cases show how trusted credentials can become a path into private code or internal systems.

The core test is not whether an endpoint is documented; it is whether access is properly authorized once someone finds it.

AI-assisted testing still needs human review. Models can run repetitive checks across large endpoint sets, but bug bounty and application security teams need reviewers to confirm exploitability, filter false positives, and keep noisy reports from overwhelming engineers.

For remediation, teams should prioritize internet-facing and high-severity findings based on exposure and known exploitation. The pressure is already showing up in routine patch operations, including record monthly security releases that force IT teams to validate, test, and deploy fixes faster. CISA’s Known Exploited Vulnerabilities catalog remains a baseline for patch triage because it tracks flaws already seen in active exploitation.

Brutecat’s claimed $500,000 total remains unverified by Google. AI did not replace security expertise here; it amplified a workflow built around API discovery, access-control testing, and manual validation.

Also read: Malicious AI models can create another path to credential exposure when model-loading systems are allowed to run untrusted code.