Originally reported by Google Online Security
TL;DR
Google paid out a record $17 million through its vulnerability reward programs in 2025, representing a 40% increase from the previous year to over 700 researchers globally. The company launched a dedicated AI VRP and expanded bug bounty scope across multiple product lines during its program's 15th anniversary year.
This is a retrospective report on Google's vulnerability reward program performance and program updates, with no immediate actionable threats or exploitations disclosed.
Google's Vulnerability Rewards Program (VRP) reached new heights in 2025, distributing over $17 million to security researchers worldwide during the program's 15th anniversary year. The payout represents a 40% increase from 2024 and marks an all-time high for Google's bug bounty initiatives, according to the company's annual review published by the VRP team.
The program engaged with more than 700 researchers across multiple countries, spanning Google's entire product ecosystem from Android and Chrome to Cloud services and emerging AI technologies.
Google launched a dedicated AI VRP in 2025, elevating artificial intelligence security from a subset of the Abuse VRP to its own specialized program. The dedicated structure provides researchers with clearer scope definitions and more transparent reward structures for AI-related vulnerability discoveries.
The Chrome VRP simultaneously expanded to include reward categories for security issues found within AI features, reflecting Google's broader integration of machine learning capabilities across its browser platform.
Google's invite-only bugSWAT events produced substantial security research outcomes throughout 2025:
The Mexico City event was part of Google's broader ESCAL8 cybersecurity conference, which included educational workshops and capture-the-flag competitions.
Google introduced patch rewards for OSV-SCALIBR, the company's open source vulnerability scanning tool for software dependencies. The program incentivizes researchers to contribute detection plugins for inventory management, vulnerability identification, and secret detection capabilities.
According to Google, community contributions have already helped identify and remediate internally leaked secrets, demonstrating immediate security benefits from the expanded program.
Google plans to maintain its commitment to external security research collaboration through continued bugSWAT events and the next iteration of the ESCAL8 conference. The company emphasized its focus on staying ahead of emerging threats and adapting to evolving technology landscapes through community partnerships.
The VRP team highlighted the program's evolution from its 2010 origins into a comprehensive security research ecosystem spanning multiple product verticals and specialized focus areas.
Originally reported by Google Online Security
