Google’s Bug Bounty Program Hits All-Time High With $17 Million in 2025 Payouts

In 2025, Google broke previous payout records for the Vulnerability Reward Program (VRP) on its 15th anniversary. The tech giant gave $17 million to outside security researchers around the world, which is a big 40% increase from 2024. More than 700 ethical hackers from around the world found and responsibly reported vulnerabilities.

This shows that community-driven security research is still important for protecting critical infrastructure. Google wants to keep this momentum going by working more with outside security communities in 2026. The VRP team is quickly planning new BugSWAT events all over the world and getting ready for the next ESCAL8 conference. Threat actors are taking a strategic approach, as shown by Google's large bug bounty investments.

Crowdsourced security research is one of the best ways to protect against new cyber threats.

Google's Bug Bounty Program now has specific reward categories just for bugs found in Chrome's built-in AI and Gemini features. Google also started a special patch-reward program for OSV-SCALIBR, an open-source tool that finds security holes in software dependencies. There were technical thought leadership seminars, student workshops, and the HACKCELER8 Capture the Flag (CTF) finals at the event.

Google said that these community submissions have already helped the company find and fix leaked secrets within the company. The global outreach program also got a big boost with the start of ESCal8, a security conference in Mexico City just for that purpose.