Google’s Bug Bounty Program Achieves Record $17 Million in 2025 Payouts
In 2025, Google marked the 15th anniversary of its Vulnerability Reward Program (VRP) by awarding an unprecedented $17 million to security researchers worldwide. This figure represents a 40% increase from the previous year, underscoring Google’s commitment to enhancing cybersecurity through community collaboration.
Over 700 ethical hackers contributed to this milestone by identifying and responsibly disclosing vulnerabilities across Google’s vast array of products and services. Their efforts have been instrumental in fortifying the security of critical infrastructure and protecting users globally.
Emphasis on Artificial Intelligence Security
As artificial intelligence (AI) continues to permeate various aspects of technology, Google has recognized the need to address the unique security challenges it presents. In response, the company launched a dedicated AI Vulnerability Reward Program in 2025. This initiative provides researchers with clear guidelines and reward structures for identifying AI-specific vulnerabilities, reflecting Google’s proactive approach to securing emerging technologies.
The Chrome security team has also adapted to these evolving threats by introducing reward categories focused on vulnerabilities within Chrome’s integrated AI features, including the Gemini project. This targeted approach ensures that AI-related security issues are promptly identified and mitigated.
Community Engagement and Live Hacking Events
A significant factor contributing to the success of the VRP in 2025 was Google’s active engagement with the global security community. The company hosted multiple editions of bugSWAT, an exclusive, invite-only series of live hacking events targeting high-priority attack surfaces.
Notable bugSWAT events in 2025 included:
– Sunnyvale Cloud bugSWAT: Resulted in 130 vulnerability reports and $1.6 million in payouts.
– Tokyo AI bugSWAT: Generated over 70 reports and $400,000 in rewards during April.
– Mexico City bugSWAT: Paid out $566,000 for 107 reports spanning AI, Android, and Cloud targets.
– Las Vegas bugSWAT: Added 77 verified reports and $380,000 in bounties to the yearly total.
These events not only facilitated the discovery of critical vulnerabilities but also fostered collaboration between Google’s internal security teams and external researchers.
Innovations in Open-Source Security
Beyond direct product security, Google introduced a unique patch-reward program for OSV-SCALIBR, an open-source tool designed to detect vulnerabilities in software dependencies. Security contributors are now rewarded for developing novel OSV-SCALIBR plugins that enhance inventory tracking and secret detection. These community-driven contributions have already led to the identification and remediation of internal security issues within Google’s infrastructure.
Global Outreach and Security Conferences
To further engage with the global security community, Google launched ESCAL8, a dedicated security conference hosted in Mexico City. The event featured technical seminars, student workshops, and the HACKCELER8 Capture the Flag (CTF) finals. This initiative provided a platform for knowledge sharing and skill development among security professionals and enthusiasts.
Looking Ahead to 2026
Building on the momentum of 2025, Google plans to expand its collaboration with the external security community in 2026. The VRP team is actively scheduling new bugSWAT events globally and preparing for the next iteration of the ESCAL8 conference. As cyber threats continue to evolve, Google’s substantial investments in bug bounty programs highlight the importance of crowdsourced security research in defending against emerging challenges.
