Google paid over $17 million to 747 security researchers who reported security bugs through its Vulnerability Reward Program (VRP) in 2025.
The company says it has awarded over $81.6 million in bug bounties since the first Vulnerability Reward Program went live in 2010, while the highest reward paid last year was of $250,000.
“Our VRP once again confirmed the ongoing value of engaging with the external security research community to make Google and its products safer,” Google said.
“This was more evident than ever as we awarded over $17 million (an all-time high and more than 40% increase compared to 2024!) to over 700 researchers based in countries around the globe – across all of our programs.”
Among last year’s highlights, Google launched an AI Vulnerability Rewards Program for security researchers targeting the company’s AI systems and added new reward categories to the Chrome VRP for AI bugs.
It also launched a rewards program for OSV-SCALIBR, the company’s open source tool for finding security flaws in software dependencies.
In 2025, the Android and Google Devices Security Reward Program paid over $2,900,000, the Chrome security team awarded $3,716,750 to over 100 reporters, while 143 researchers were rewarded $3,574,399 during the Cloud Vulnerability Reward Program’s first full year of operation.
Last year, Google awarded another $12 million to 660 security researchers who found and reported vulnerabilities throughout 2024.
The highest bug bounty of 2024 was $100,115 for a MiraclePtr Bypass, after Google more than doubled rewards for MiraclePtr bypasses to $250,128 from $100,115 when the program launched.
“Our goal remains to stay ahead of emerging threats, adapt to evolving technologies, and continue to strengthen the security posture of Google’s products and services – all of which is only possible in collaboration with the external community of researchers we are so lucky to collaborate with,” Google added.
“In this spirit, we’d like to extend a huge thank you to our bug hunter community for helping us make Google products and platforms more safe and secure for our users around the world – and invite researchers not yet engaged with the Vulnerability Reward Program to join us in our mission to keep Google safe.”
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.