Google’s Vulnerability Reward Program (VRP) celebrated its 15th anniversary in 2025 by breaking every payout record in its history.
The tech giant awarded a staggering $17 million to external security researchers worldwide, representing a massive 40% surge compared to 2024.
Over 700 ethical hackers from across the globe successfully identified and responsibly disclosed vulnerabilities, proving the continued necessity of community-driven security research to protect critical infrastructure.
Artificial intelligence dominated Google’s threat modeling and security focus last year. To address the rapidly changing attack surface of machine learning models, Google officially launched a dedicated AI Vulnerability Reward Program.
Previously managed under the Abuse VRP umbrella, this new standalone category provides researchers with precise scoping rules and clear reward tiers for AI-specific exploits. The browser security team also adapted to these emerging threats.
Google’s Bug Bounty Program
The Chrome VRP now features specific reward categories dedicated entirely to flaws discovered within Chrome’s integrated AI and Gemini features. Active community engagement drove much of 2025’s record-breaking success.
Google hosted multiple editions of bugSWAT, an exclusive, invite-only live hacking event series that targets high-priority attack surfaces.
Major bugSWAT events in 2025 included:
- Sunnyvale Cloud bugSWAT led to 130 vulnerability reports and a massive $1.6 million in payouts.
- Tokyo AI bugSWAT generated over 70 reports and $400,000 in rewards during April.
- Mexico City bugSWAT paid out $566,000 for 107 reports spanning AI, Android, and Cloud targets.
- Las Vegas bugSWAT added 77 verified reports and $380,000 in bounties to the yearly total.
Beyond direct product hacking, Google launched a unique patch-reward program for OSV-SCALIBR, an open-source tool that detects vulnerabilities in software dependencies.
Security contributors now earn rewards for building novel OSV-SCALIBR plugins that improve inventory tracking or secret detection. Google noted that these community submissions have already helped the company discover and remediate internal leaked secrets.
Global outreach also saw a massive upgrade with the launch of ESCAL8, a dedicated security conference hosted in Mexico City. The event featured technical thought leadership seminars, student workshops, and the HACKCELER8 Capture the Flag (CTF) finals.
Google plans to carry this momentum into 2026 by expanding its collaboration with the external security community.
The VRP team is actively scheduling new bugSWAT events globally and preparing for the next iteration of the ESCAL8 conference.
As threat actors continuously adapt to novel technologies, Google’s massive bug bounty investments highlight a clear strategy. Crowdsourced security research remains one of the strongest defenses against emerging cyber threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
