Google’s Bug Bounty Program Hits Record $17 Million in 2025 Payouts

Google announced a record-breaking year for its Vulnerability Reward Program (VRP) in 2025, paying out over $17 million to ethical hackers globally to secure its platforms.

This milestone marked a 40% increase from 2024 and coincided with the program’s 15th anniversary.

Vulnerability Reward Program 2025 in Numbers (Source: Google )
Vulnerability Reward Program 2025 in Numbers (Source: Google )

Over 700 security researchers worldwide received financial rewards for discovering and reporting critical vulnerabilities before malicious actors could exploit them.

One of 2025’s key developments was Google’s increased focus on securing AI.

Google launched a dedicated AI Vulnerability Reward Program to provide clearer testing scopes and better reward guidelines.

Previously, AI vulnerabilities were handled under the general Abuse VRP, but the technology’s rapid growth necessitated a specialized approach.

Additionally, the Chrome browser VRP expanded its rules to include specific reward categories for security flaws in AI features like Gemini integrations.

Live Hacking and Open Source Security

Google also invested significantly in live hacking events and open-source security tools throughout 2025.

The company launched a new patch reward program for OSV-SCALIBR, an open-source tool designed to find vulnerabilities in software dependencies. Contributors who provided novel scanning plugins were rewarded, and these external submissions have already helped Google uncover and remediate leaked secrets internally.

On the community front, Google hosted multiple invite-only bugSWAT live hacking events globally. Key highlights included:

  • Tokyo AI bugSWAT in April generated over 70 reports, resulting in more than $400,000 in rewards.
  • Sunnyvale Cloud bugSWAT in June led to 130 reports, paying out an impressive $1.6 million to participants.
  • Las Vegas bugSWAT in August secured 77 reports, issuing $380,000 to security researchers.
  • Mexico City bugSWAT, focused on AI, Android, and Cloud targets, generated 107 reports and $566,000 in payouts.

As cyber threats evolve, Google remains committed to collaborating with the external security community.

In 2026, Google plans to host several more bugSWAT events and the next edition of its ESCAL8 cybersecurity conference.

By working closely with independent researchers and rewarding their efforts, Google aims to stay ahead of emerging threats and continuously strengthen the security of its global products and services.

Related Articles

Back to top button