Google Paid $17.1M to Bug Hunters in 2025

Google reported that it paid out $17.1 million to security researchers in 2025 through its vulnerability reward programs, the largest single‑year total in the company's history. The payouts cover a wide range of products and platforms, from Chrome and Android to cloud services and open‑source projects.

Bug bounty programs have become a cornerstone of modern security practices, encouraging independent researchers to responsibly disclose flaws rather than exploit them. Google's programs include the Vulnerability Reward Program (VRP) and separate initiatives for specific products like Chrome and Android, each with its own eligibility rules and reward tiers.

Security teams say higher payouts are partly a response to increasingly sophisticated threats and the higher value of finding complex, chainable vulnerabilities. Reward amounts vary depending on severity, exploitability, and the potential impact on users or the platform. In recent years, multi‑component exploits that combine flaws across browser, OS, and cloud layers have driven some of the largest awards.

Google also highlights that timely, clear reports from researchers speed up remediation. The company typically credits contributors publicly when reports are handled responsibly, which many researchers value as recognition alongside monetary rewards. Some researchers reported record‑breaking bounties this year, reflecting both the scale of the issues found and evolving program incentives.

For organizations and developers, the trend underlines the continued importance of engaging with the security research community and investing in mature vulnerability triage and patching processes. As attack techniques evolve, so too are the incentives to find and fix weaknesses before they can be weaponized.

If you follow security news, this number should not be surprising — it feels like the market for high‑impact vulnerability research is growing, and companies are putting real money behind proactive defense.