The $17 Million Bounty: Google Smashes Records and Launches AI Frontier for 15th VRP Anniversary
Ddos 
In an era of increasingly complex digital threats, Google’s strategy of “inviting the world to find its bugs” is paying off at a record-breaking scale. According to a new report, 2025 marked a special year in the history of vulnerability rewards and bug bounty programs at Google. The company celebrated the 15th anniversary of its Vulnerability Reward Program (VRP) by awarding an all-time high of over $17 million to the global security community.
The total payout for 2025 represents a 40% increase compared to the previous year. This massive investment supported a diverse network of 747 researchers spanning the globe.
Key highlights from the financial data include:
- Total Rewards: $17.1 million.
- Highest Single Reward: A whopping $250,000 for a high-impact finding.
- Historical Impact: Since its inception in 2010, the VRP umbrella has paid out a total of $81.6 million.
Recognizing the shifting technological landscape, Google made significant structural changes to its reward systems in 2025. The most notable update was the launch of a dedicated AI VRP.
Moving away from its previous home under the “Abuse VRP,” this new program offers:
“…improvements to the rules, offering researchers more clarity on scope and reward amounts”.
This focus on AI extended to the Chrome VRP, which now includes specific reward categories for vulnerabilities found in the browser’s AI features.
Google also doubled down on its bugSWAT program—exclusive, invite-only live hacking events that bring elite researchers together to hunt for vulnerabilities. These events delivered “outstanding findings” across critical areas:
- AI (Tokyo): The first dedicated AI event resulted in 70+ reports and over $400,000 in rewards.
- Cloud (Sunnyvale): A summer event yielded 130 reports and $1.6 million in payouts.
- ESCAL8 (Mexico City): This multi-faceted event combined a bugSWAT session with Google’s CTF finals, awarding $566,000 to date for findings in AI, Android, and Cloud.
Beyond its proprietary products, Google incentivized security for the broader internet infrastructure. The company launched a patch rewards program for OSV-SCALIBR, an open-source tool used to find vulnerabilities in software dependencies. Contributions to this tool have already provided immediate internal benefits:
“Besides strengthening the tool’s capabilities for all users, user submissions already helped us uncover and remediate a number of leaked secrets internally!”.
Google shows no signs of slowing its collaborative approach. As the company looks toward 2026, it aims to stay ahead of emerging threats by continuing to host several bugSWAT events and the next edition of its ESCAL8 conference.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
