Google paid a record $17.1 million for bug reports in 2025

Google paid more than $17 million to security researchers in 2025 through its Vulnerability Reward Program, marking the company’s highest annual bug bounty payout to date. Google said it rewarded 747 researchers last year and pushed its total payouts since 2010 to more than $81.6 million.

The 2025 total also represented a sharp jump from the year before. Google said payouts rose by more than 40% compared with 2024, when it awarded about $12 million to 660 researchers. The company said the program continues to help it spot serious flaws across Chrome, Android, cloud services, devices, and now AI systems.

Google framed the 2025 results as proof that outside researchers remain a core part of its security model. The company also said the largest single reward paid in 2025 reached $250,000, reflecting higher-value findings in areas such as Chrome sandbox escape research.

One of the biggest themes in 2025 was expansion. Google launched an AI Vulnerability Reward Program focused on security issues in AI products and also added new Chrome reward categories for AI-related bugs. It also introduced a separate rewards program for OSV-SCALIBR, its open source dependency-scanning tool.

Where the money went

Chrome remained one of Google’s most important bug bounty targets. The company said its Chrome security team paid $3,716,750 to more than 100 researchers in 2025. SecurityWeek reported that the top researcher on Google’s leaderboard earned $811,000, showing how valuable high-impact browser findings have become.

Cloud security also stood out. Google said 143 researchers earned $3,574,399 during the first full year of the Cloud Vulnerability Reward Program. The company processed 1,774 cloud security reports in 2025 and said those findings drove architectural changes in several Google Cloud products.

Android and Google devices remained another major category. Google said researchers received more than $2.9 million through that program in 2025. While that figure trailed Chrome and Cloud in headline attention, it still underlined how much research continues to focus on mobile and device security.

Why this matters

• Google set a new annual payout record in 2025
• The company rewarded 747 researchers worldwide
• AI security became part of the bug bounty push
• Chrome and Cloud accounted for a large share of payouts
• Total VRP payouts since launch now exceed $81.6 million

The broader takeaway is clear. Google is paying more because its attack surface keeps expanding, especially across cloud platforms, browsers, and AI features. The company is also trying to direct researchers toward newer risk areas before attackers do. That reading fits the official roundup and Google’s separate AI VRP launch.

FAQ