In 2025, Google’s Vulnerability Reward Program (VRP) marked its 15th year by achieving unprecedented payout levels. The program, which incentivizes security researchers globally, distributed a remarkable $17 million, a 40% increase over the previous year.
Record-Breaking Payouts
Over 700 ethical hackers worldwide identified and reported vulnerabilities, underscoring the critical role of community-driven security research in safeguarding essential infrastructure. This collaborative effort reflects the necessity of leveraging external expertise to address potential threats.
With artificial intelligence becoming a focal point in threat modeling, Google introduced a specialized AI Vulnerability Reward Program. This initiative, previously part of the Abuse VRP, now operates independently, offering clearer guidelines and reward tiers for AI-related discoveries.
Focus on AI and Emerging Threats
Google’s emphasis on artificial intelligence in security led to specific reward categories within the Chrome VRP, targeting vulnerabilities in AI and Gemini features. This focus has driven significant engagement from the security community throughout 2025.
The tech giant also hosted several bugSWAT events, exclusive hacking sessions aimed at addressing critical attack vectors. Notable events included the Sunnyvale Cloud bugSWAT, which yielded 130 vulnerability reports and $1.6 million in payouts, and the Tokyo AI bugSWAT, generating over 70 reports and $400,000 in rewards.
Innovative Security Initiatives
Beyond traditional product hacking, Google launched a unique patch-reward initiative for OSV-SCALIBR, an open-source tool designed to detect software dependency vulnerabilities. Contributors earn rewards by developing plugins that enhance inventory tracking and secret detection, aiding Google in uncovering internal security issues.
The company’s commitment to global outreach was further demonstrated with the ESCAL8 conference in Mexico City, featuring seminars, workshops, and the HACKCELER8 Capture the Flag finals. This event highlighted technical leadership and engaged students in cybersecurity challenges.
Looking Ahead
As Google prepares for 2026, it plans to expand its collaboration with the external security community. New bugSWAT events are being scheduled globally, alongside preparations for the next ESCAL8 conference.
Google’s substantial investments in its bug bounty program underscore the ongoing importance of crowdsourced security research as a powerful defense against evolving cyber threats.
