VRP 2025 12 months in Assessment

2025 marked a particular yr within the historical past of vulnerability rewards and bug bounty packages at Google: our fifteenth anniversary 🎉🎉🎉! Initially began in 2010, our vulnerability reward program (VRP) has seen fixed additions and expansions over the previous decade and a half, clearly indicating the worth the packages underneath this umbrella contribute to the protection and safety of Google and its customers, but additionally highlighting their acceptance by the exterior analysis group, with out which such packages can’t perform.

Coming again to 2025 particularly, our VRP as soon as once more confirmed the continuing worth of partaking with the exterior safety analysis group to make Google and its merchandise safer. This was extra evident than ever as we awarded over $17 million (an all-time excessive and greater than 40% improve in comparison with 2024!) to over 700 researchers based mostly in nations across the globe – throughout all of our packages.

Vulnerability Reward Program 2025 in Numbers

Need to be taught extra about who’s reporting to the VRP? Take a look at our Leaderboard on the Google Bug Hunters website.

VRP Highlights in 2025

In 2025 we made a sequence of adjustments and enhancements to our VRP and associated initiatives, and continued to spend money on the safety analysis group by means of a sequence of centered occasions:

• The brand new, devoted AI VRP was launched, underscoring the significance of this area to Google and its relevance for exterior researchers. Beforehand organized as part of the Abuse VRP, shifting right into a devoted VRP has gone hand in hand with enhancements to the foundations, providing researchers extra readability on scope and reward quantities.

• Equally, the Chrome VRP now additionally consists of reward classes for issues present in AI options.

• We launched a patch rewards program for OSV-SCALIBR, Google’s open supply device for locating vulnerabilities in software program dependencies. Contributors are rewarded for offering novel OSV-SCALIBR plugins for stock, vulnerability, or secret detection that develop the device’s scanning capabilities. Moreover strengthening the device’s capabilities for all customers, person submissions already helped us uncover and remediate plenty of leaked secrets and techniques internally!

• As a part of Google’s Cybersecurity Consciousness Month marketing campaign in October, we hosted our very personal safety convention in Mexico Metropolis, ESCAL8. The convention included init.g(mexico), our cybersecurity workshop for college kids, HACKCELER8, Google’s CTF finals, and a Safer with Google seminar, sharing technical thought management with Mexican authorities officers. 

• bugSWAT, our particular invite-only reside hacking occasion, noticed a number of editions in 2025 and delivered some excellent findings throughout totally different areas:

• We hosted our first devoted AI bugSWAT (Tokyo) in April which yielded a whopping 70+ reviews filed and over $400,000 in rewards issued. 

• We continued the momentum in early summer time with Cloud bugSWAT (Sunnyvale) in June leading to 130 reviews, with $1,600,000 in rewards paid out.

• Subsequent in line was bugSWAT Las Vegas in August, resulting in 77 reviews and rewards of $380,000. 

• And at last, as a part of ESCAL8 in Mexico Metropolis, bugSWAT Mexico centered on many various targets and areas together with AI, Android, and Cloud, and resulted within the submitting of 107 reviews, totalling $566,000 in rewards up to now. 

On the lookout for extra particulars? See the prolonged model of this publish on the Safety Engineering weblog for reviews from particular person VRPs reminiscent of Android, Abuse, AI, Cloud, Chrome, and OSS, together with specifics regarding high-impact bug reviews and focus areas of safety analysis. 

What’s coming in 2026

In 2026, we stay totally dedicated to fostering collaboration, innovation, and transparency with the safety group by internet hosting a number of bugSWAT occasions all year long, and following up with the following version of our cybersecurity convention, ESCAL8. Extra broadly, our objective stays to remain forward of rising threats, adapt to evolving applied sciences, and proceed to strengthen the safety posture of Google’s services and products – all of which is just attainable in collaboration with the exterior group of researchers we’re so fortunate to collaborate with! 

On this spirit, we’d like to increase an enormous thanks to our bug hunter group for serving to us make Google merchandise and platforms extra secure and safe for our customers around the globe – and invite researchers not but engaged with the Vulnerability Reward Program to hitch us in our mission to maintain Google secure (try our packages for inspiration 🙂)!

Thanks to Tony Mendez, Dirk Göhmann, Alissa Scherchen, Krzysztof Kotowicz, Martin Straka, Michael Cote, Sam Erb, Jason Parsons, Alex Gough, and Mihai Maruseac. 

Tip: Need to learn of recent developments and occasions round our Vulnerability Reward Program? Comply with the Google VRP channel on X to remain within the loop and make sure to try the Safety Engineering weblog, which covers subjects starting from VRP updates to safety practices and vulnerability descriptions!