Security & Infrastructure Tools
Google paid $17.1 million for vulnerability reports in 2025
Google paid over $17 million in 2025 to 747 security researchers through its Vulnerability Reward Program, marking a record high and more than a 40% increase from the previous year. The company has awarded a total of $81.6 million since the program launched in 2010, with the largest single reward last year being $250,000. In 2025, Google introduced new bug bounty programs for AI systems, OSV‑SCALIBR, and expanded categories for Chrome and Android, earning over $2.9 million for Android, $3.7 million for Chrome, and $3.6 million for Cloud. The company emphasized its commitment to collaborating with external security researchers to strengthen Google’s products and services.
Google’s Vulnerability Reward Program (VRP) reached a historic milestone in 2025 by awarding more than $17 million to 747 security researchers worldwide. This figure marks an all‑time high and reflects a jump of over 40 % from the previous year, underscoring Google’s continued commitment to engaging with the external research community.
Since its inception in 2010, Google has accumulated over $81.6 million in bug bounties across multiple programs. The most lucrative reward that year was $250,000, highlighting the company’s willingness to invest heavily in finding and fixing vulnerabilities. “Our VRP once again confirmed the ongoing value of engaging with the external security research community to make Google and its products safer,” Google stated, emphasizing the collaborative nature of its security efforts.
In 2025, several key initiatives were launched or expanded:
- AI Vulnerability Rewards Program – targeting AI systems, offering up to $30,000 for identified flaws.
- Chrome VRP AI Bug Category – new reward categories added specifically for AI vulnerabilities within Chrome.
- OSV‑SCALIBR Rewards Program – a dedicated program for the open‑source tool that scans software dependencies for security issues.
The distribution of rewards across Google’s products was notable: Android and Google Devices Security Reward Program paid over $2.9 million; Chrome’s security team awarded $3.716 750 to more than 100 reporters; and the Cloud Vulnerability Reward Program, in its first full year, rewarded $3.574 399 to 143 researchers.
A look back at 2024 shows a similar trend: Google paid another $12 million to 660 researchers who reported vulnerabilities throughout that year. The highest bug bounty of 2024 was $100,115 for a MiraclePtr Bypass, which saw the reward doubled to $250,128 after program adjustments.
Google’s overarching goal remains to stay ahead of emerging threats, adapt to evolving technologies, and strengthen the security posture of its products and services—all achievable only through collaboration with external researchers. The company extended heartfelt thanks to its bug hunter community and encouraged new participants to join the VRP in pursuit of a safer Google ecosystem for users worldwide.