GOOGLE announced paying out $17.1 million in rewards through its bug bounty programmes in 2025, bringing the total handed out over the past 15 years to $81.6 million. Google paid over $3.7 million for Chrome vulnerabilities and more than $3.5 million for cloud security defects, with rewards of $250,000 handed out to researchers who demonstrated full-chain sandbox escape attacks in Chrome.
More than 700 security researchers were rewarded in 2025, and the top Chrome researcher earned $811,000, while Google awarded just over $3.7 million to more than 100 researchers who reported Chrome defects. According to Google, 143 researchers were rewarded for cloud issues, with 1,774 security reports processed in 2025 via the Cloud VRP, whose programme was launched in October 2024 and had its first full year of operation in 2025.
The company also noted over $2.9 million in bug bounties for Android and Google Devices security rewards, and separate payouts of over $890,000 through the AI VRP, $482,000 through Abuse VRP, and more than $327,000 through OSS VRP.