Google: $17.1 million paid out in bug bounty program 2025

Google has released figures for its bug bounty program “Vulnerability Reward Program” (VRP) for the year 2025. IT security researchers earned more than 17 million US dollars in that year, a new high.

In a blog post, Google writes that the rewards were distributed to more than 700 IT researchers across the globe. More precisely, in the past year, 747 IT researchers received a total of 17.1 million US dollars, while in 2024, 660 analysts received a total of 11.8 million US dollars. The amount paid out is therefore more than 40 percent higher and is the highest since the VRP was launched.

The VRP is divided into several individual programs, for example for Android and devices, Chrome, Cloud, AI, or open-source software. The Android program alone paid out around 2.9 million US dollars. Google states that it is investing in hardening the platform. The use of memory-safe languages and hardware measures has led to a shift in attacker tactics – they have to adapt their malicious toolkits accordingly. The most sophisticated exploits rely more on logic errors than code vulnerabilities. AI represents an expansion of the attack surface; here, researchers have discovered logic errors in the Gemini implementation on devices, for example, to bypass the lock screen.

Interesting figures from the VRP sub-programs

In Google Chrome, more than 100 IT researchers received rewards, totaling more than 3.7 million US dollars. The v8 JavaScript engine sandbox was one of the focal points, where new breakout possibilities were found. Google highlights two IT security researchers who found logic errors in inter-process communication, demonstrated their misuse, and ultimately received 250.000 US dollars for it.

The Cloud Bug Bounty program attracted even more IT researchers. 143 experts received more than 3.5 million US dollars for reported vulnerabilities. Google processed a total of 1774 security reports for cloud services in 2025. Since last October, Google has also been running a bug bounty program specifically for AI applications. In this program alone, IT researchers have already earned 390.000 US dollars in rewards; in total, 890.000 US dollars were paid out for AI vulnerabilities in 2025. At Google's first AI security event, “AI bugSWAT,” in Tokyo, 70 valid reports were submitted, earning their discoverers 400.000 US dollars. The open-source software sector, on the other hand, lags significantly. Out of 192 submitted bug reports, 62 received a reward – a total of just under 330.000 US dollars.

In 2026, Google plans further events comparable to the one in Tokyo, which the company calls “bugSWAT.” Additionally, an IT security conference named “ESCAL8” is planned.

Google last presented a detailed report for the year 2023. There, 632 IT researchers received a total of 10 million US dollars in rewards.

(dmk)