Google’s 15‑Year Bug Bounty Payouts Reach $81.6 Million, 2025 Rewards Jump 40%

Google’s Vulnerability Reward Program (VRP) has paid a total of $81.6 million in bug bounties over the past 15 years. In 2025 the program disbursed $17.1 million, a 40% increase over the $12 million paid in 2024.

The 2025 payouts are split among several product areas: Chrome received $3.7 million, cloud‑security $3.5 million, and AI‑related research $0.89 million. Over 700 security researchers earned rewards, including $250 000 for a full‑chain sandbox‑escape demonstration in Chrome.

For Chrome alone, more than 100 researchers were awarded $3.7 million, with the top contributor—a Korean researcher named Lee Seong‑hyun—earning $811 000 (approximately $81.1 k).

In the cloud‑security track, 143 distinct researchers filed 1 774 reports, collectively receiving $3.5 million. Google noted that these findings prompted major architectural changes across its cloud services.

Android and device‑security programs paid over $2.9 million in 2025, rewarding researchers who uncovered critical flaws in the Gemini implementation and bypassed multiple deep‑defense layers.

The AI‑focused VRP granted more than $0.89 million, while non‑AI and open‑source software (OSS) programs distributed $482 000 and $327 000 respectively.

Google emphasized that the external research community’s contributions have strengthened the V8 sandbox, improved memory‑safety mechanisms, and helped the company stay ahead of emerging threats.