Google announced paying out $17.1 million in rewards via its bug bounty programs in 2025, for a total of $81.6 million handed out over the past 15 years.
The 2025 amount marked a 40% increase in payouts compared to the previous year, when Google paid out $12 million to bug hunters.
More than 700 security researchers were rewarded via Google’s vulnerability reward programs (VRPs) in 2025, when rewards of $250,000 were handed out to researchers who demonstrated full-chain sandbox escape attacks in Chrome.
Overall, Google awarded just over $3.7 million to more than 100 researchers who reported security defects in the Chrome browser. The top researcher earned $811,000 in bug bounties, the company’s leaderboard shows.
These efforts, the company says, helped strengthen the V8 engine’s sandbox protections and improve memory safety mechanisms.
Participants in Google’s VRPs also showed increased interest in the company’s cloud products and received over $3.5 million in bug bounties for their efforts.
According to Google, 143 different researchers were rewarded for hunting issues in cloud services, with 1,774 security reports processed in 2025 via the Cloud VRP. The program was launched in October 2024, and last year was its first full year of operation.
“Our researchers’ invaluable contributions led to the discovery and remediation of critical vulnerabilities, strengthening the security of Google Cloud for our users and customers. Insights gleaned from multiple reports prompted significant architectural changes in several Google Cloud products,” Google notes.
Last year, the internet giant awarded over $2.9 million in bug bounties to the researchers who found and reported flaws through the Android and Google Devices security reward program.
Google observed an increase in critical- and high-severity bugs, amid investments in platform hardening, such as Android’s transition to memory-safe languages, and hardware mitigations that block traditional memory corruption vectors.
The internet giant awarded researchers for finding weaknesses in Android’s on-device Gemini implementations, as well as a critical firmware breakthrough bypassing multiple defense-in-depth layers.
The company handed out over $890,000 in bug bounties via its AI VRP program, $482,000 in non-AI rewards via the Abuse VRP program, and more than $327,000 through the OSS VRP program.
“Our goal remains to stay ahead of emerging threats, adapt to evolving technologies, and continue to strengthen the security posture of Google’s products and services – all of which is only possible in collaboration with the external community of researchers we are so lucky to collaborate with,” Google notes.
Related: Chrome 146 Update Patches Two Exploited Zero-Days
Related: Wiz Joins Google Cloud as Landmark Acquisition Closes
Related: Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises
Related: Google Disrupts Chinese Hackers Targeting Telecoms, Governments
