Vulnerabilities Google Paid Out $17 Million in Bug Bounty Rewards in 2025 Google paid over $3.7 million for Chrome vulnerabilities, and more than $3.5 million for cloud security defects. By Ionut Arghire | March 13, 2026 (7:04 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Google announced paying out $17.1 million in rewards via its bug bounty programs in 2025, for a total of $81.6 million handed out over the past 15 years. The 2025 amount marked a 40% increase in payouts compared to the previous year, when Google paid out $12 million to bug hunters. More than 700 security researchers were rewarded via Google’s vulnerability reward programs (VRPs) in 2025, when rewards of $250,000 were handed out to researchers who demonstrated full-chain sandbox escape attacks in Chrome. Overall, Google awarded just over $3.7 million to more than 100 researchers who reported security defects in the Chrome browser. The top researcher earned $811,000 in bug bounties, the company’s leaderboard shows . These efforts, the company says, helped strengthen the V8 engine’s sandbox protections and improve memory safety mechanisms. Participants in Google’s VRPs also showed increased interest in the company’s cloud products and received over $3.5 million in bug bounties for their efforts. Advertisement. Scroll to continue reading. According to Google, 143 different researchers were rewarded for hunting issues in cloud services, with 1,774 security reports processed in 2025 via the Cloud VRP. The program was launched in October 2024, and last year was its first full year of operation. “Our researchers’ invaluable contributions led to the discovery and remediation of critical vulnerabilities, strengthening the security of Google Cloud for our users and customers. Insights gleaned from multiple reports prompted significant architectural changes in several Google Cloud products,” Google notes. Last year, the internet giant awarded over $2.9 million in bug bounties to the researchers who found and reported flaws through the Android and Google Devices security reward program. Google observed an increase in critical- and high-severity bugs, amid investments in platform hardening, such as Android’s transition to memory-safe languages, and hardware mitigations that block traditional memory corruption vectors. The internet giant awarded researchers for finding weaknesses in Android’s on-device Gemini implementations, as well as a critical firmware breakthrough bypassing multiple defense-in-depth layers. The company handed out over $890,000 in bug bounties via its AI VRP program, $482,000 in non-AI rewards via the Abuse VRP program, and more than $327,000 through the OSS VRP program. “Our goal remains to stay ahead of emerging threats, adapt to evolving technologies, and continue to strengthen the security posture of Google’s products and services – all of which is only possible in collaboration with the external community of researchers we are so lucky to collaborate with,” Google notes. Related: Chrome 146 Update Patches Two Exploited Zero-Days Related: Wiz Joins Google Cloud as Landmark Acquisition Closes Related: Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises Related: Google Disrupts Chinese Hackers Targeting Telecoms, Governments Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Splunk, Zoom Patch Severe Vulnerabilities Cisco Patches High-Severity IOS XR Vulnerabilities Critical N8n Vulnerabilities Allowed Server Takeover 238,000 Impacted by Bell Ambulance Data Breach Scanner Raises $22 Million for AI-Powered Threat Hunting Fortinet, Ivanti, Intel Patch High-Severity Vulnerabilities Quantro Security Emerges From Stealth With $2.5 Million in Funding Microsoft Patches 83 Vulnerabilities Latest News Iran-Linked Hacker Attack on Stryker Disrupted Manufacturing and Shipping Onyx Security Launches With $40 Million in Funding Authorities Disrupt SocksEscort Proxy Service Powered by AVrecon Botnet Chrome 146 Update Patches Two Exploited Zero-Days Apple Updates Legacy iOS Versions to Patch Coruna Exploits Meta Launches New Protection Tools as It Helps Disrupt Scam Centers Ally WordPress Plugin Flaw Exposes Over 200,000 Websites to Attacks The Human IOC: Why Security Professionals Struggle with Social Vetting Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move The US Senate has confirmed Army Lt. Gen. Joshua Rudd to lead NSA and CYBERCOM. Business software company Rippling has appointed Adrian Ludwig as CSO. Orca Security has named Rachel Nislick as Chief Marketing Officer. More People On The Move Expert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email