GoKawiilGoogle paid over $17 million to 747 security researchers who reported security bugs through its Vulnerability Reward Program (VRP) in 2025.
The company says it has awarded over $81.6 million in bug bounties since the first Vulnerability Reward Program went live in 2010, while the highest reward paid last year was of $250,000.
"Our VRP once again confirmed the ongoing value of engaging with the external security research community to make Google and its products safer," Google said.
"This was more evident than ever as we awarded over $17 million (an all-time high and more than 40% increase compared to 2024!) to over 700 researchers based in countries around the globe – across all of our programs."
Among last year's highlights, Google launched an AI Vulnerability Rewards Program for security researchers targeting the company's AI systems and added new reward categories to the Chrome VRP for AI bugs.
It also launched a rewards program for OSV-SCALIBR, the company's open source tool for finding security flaws in software dependencies.
In 2025, the Android and Google Devices Security Reward Program paid over $2,900,000, the Chrome security team awarded $3,716,750 to over 100 reporters, while 143 researchers were rewarded $3,574,399 during the Cloud Vulnerability Reward Program's first full year of operation.
Google Vulnerability Reward Program in 2025 (Google)
Last year, Google awarded another $12 million to 660 security researchers who found and reported vulnerabilities throughout 2024.
The highest bug bounty of 2024 was $100,115 for a MiraclePtr Bypass, after Google more than doubled rewards for MiraclePtr bypasses to $250,128 from $100,115 when the program launched.
... continue reading