Google VRP Pays Out Record $17M in 2025, Marking 15-Year Anniversary

Google’s Vulnerability Reward Program (VRP) closed out 2025 with its largest payout in the program’s history: more than $17 million distributed to over 700 security researchers across the globe. That figure represents a greater than 40 percent increase compared to 2024, and it coincides with the program’s 15th anniversary, having launched originally in 2010.

Key Structural Changes in 2025

Several notable expansions reshaped the program over the course of the year.

• Dedicated AI VRP: Previously folded into the Abuse VRP, Google spun out a standalone AI-focused reward program. The separation brought clearer scope definitions and revised reward tiers for researchers targeting AI systems.
• Chrome AI rewards: The Chrome VRP was updated to include reward categories specifically for vulnerabilities discovered in AI features within the browser.
• OSV-SCALIBR patch rewards: Google introduced a patch rewards program for OSV-SCALIBR, its open-source software dependency scanning tool. Researchers can earn rewards for contributing novel plugins covering inventory, vulnerability, or secret detection. Submissions have already surfaced and remediated a number of leaked secrets internally.

Live Hacking Events and Findings

Google’s invite-only bugSWAT live hacking events ran several editions in 2025, each focused on distinct product areas.

• AI bugSWAT (Tokyo, April): The first event dedicated exclusively to AI targets produced more than 70 reports and over $400,000 in rewards.
• Cloud bugSWAT (Sunnyvale, June): The largest single event of the year, generating 130 reports and $1.6 million in payouts.
• bugSWAT Las Vegas (August): Yielded 77 reports and $380,000 in rewards.
• bugSWAT Mexico City (October): Conducted as part of the ESCAL8 security conference, this event spanned AI, Android, and Cloud targets. It produced 107 reports and $566,000 in rewards to date.

ESCAL8 Conference

In October, Google hosted ESCAL8 in Mexico City as part of Cybersecurity Awareness Month. The event combined a student cybersecurity workshop (init.g(mexico)), the HACKCELER8 CTF finals, and a Safer with Google seminar that included sessions with Mexican government officials.

Outlook for 2026

Google indicated it plans to continue hosting multiple bugSWAT events throughout 2026 and will hold another edition of the ESCAL8 conference. The company said its broader aim remains to stay current with emerging threats and evolving technology, with external researcher collaboration described as central to that effort.

Researchers not yet participating in the VRP can review current program offerings through Google’s Bug Hunters platform.