Google has marked the 15th anniversary of its Vulnerability Reward Program (VRP) with a record-breaking milestone, awarding $17 million to security researchers in 2025. The payout represents a 40% increase compared to the previous year, underscoring the growing importance of ethical hacking and community-driven security in defending modern digital ecosystems.
The program saw participation from over 700 ethical hackers worldwide, all of whom contributed to identifying and responsibly disclosing vulnerabilities across Google’s vast product portfolio. This surge in engagement highlights the critical role external researchers continue to play in strengthening cybersecurity defenses at scale.
A major focus for Google in 2025 was the evolving threat landscape surrounding artificial intelligence. In response, the company launched a dedicated AI Vulnerability Reward Program, separating it from the broader Abuse VRP category. This new initiative introduces clearer scoping guidelines and structured reward tiers specifically for AI-related vulnerabilities, reflecting the increasing complexity and risk associated with machine learning systems.
Google also expanded its Chrome Vulnerability Reward Program to address emerging risks tied to AI integration. New reward categories now target vulnerabilities within Chrome’s AI-powered features, including those linked to its Gemini capabilities, ensuring that browser security keeps pace with rapid technological advancements.
Community engagement played a pivotal role in the program’s success, particularly through Google’s bugSWAT events – exclusive, invite-only live hacking sessions focused on high-priority targets. These events delivered significant results throughout the year. The Sunnyvale Cloud bugSWAT alone generated 130 vulnerability reports and $1.6 million in payouts. In Tokyo, an AI-focused bugSWAT event produced over 70 reports and $400,000 in rewards. Mexico City’s event contributed 107 reports spanning AI, Android, and Cloud systems, earning participants $566,000, while Las Vegas added 77 verified reports and $380,000 in bounties.
In addition to traditional bug hunting, Google introduced a patch-reward initiative for OSV-SCALIBR, an open-source tool designed to detect vulnerabilities in software dependencies. Security researchers are now incentivized to develop plugins that enhance capabilities such as inventory tracking and secret detection. These contributions have already helped uncover and remediate internal security issues, including exposed credentials.
Google also strengthened its global security outreach with the launch of ESCAL8, a dedicated conference held in Mexico City. The event brought together security professionals, researchers, and students through technical sessions, workshops, and the HACKCELER8 Capture the Flag finals, further fostering collaboration within the cybersecurity community.
Looking ahead, Google plans to expand its efforts in 2026 by increasing the frequency of bugSWAT events and continuing the growth of the ESCAL8 conference. The company aims to deepen its collaboration with external researchers while adapting to the rapidly changing threat landscape.
As cyber threats evolve alongside emerging technologies like AI, Google’s continued investment in bug bounty programs highlights a clear strategy: leveraging global security talent remains one of the most effective ways to identify vulnerabilities and protect critical infrastructure at scale.
Recommended Cyber Technology News :
- ZeroEyes Expands AI Gun Detection Security Platform
- Invary Carahsoft Boost Government Defense Against AI Threats
- Google Gmail Username Change Reshapes Digital Identity
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
