Since 2010, Google has been rewarding security researchers who identify vulnerabilities in its products. In 2025, the tech giant paid a record sum to these experts, highlighting the growing importance of their contribution to the security of modern technologies. Let’s discover how this program continues to adapt and expand to address new threats.
Key Takeaways
- Google’s Vulnerability Reward Program (VRP) has distributed over 81 million dollars since 2010.
- In 2025, 17.1 million dollars were paid to more than 700 researchers, marking a 40% increase compared to the previous year.
- The program has integrated new categories, including artificial intelligence and the OSV-SCALIBR tool.
Evolution of the Vulnerability Reward Program
Launched in 2010, Google’s Vulnerability Reward Program (VRP) has gradually evolved to include various products and technologies. Initially focused on platforms such as Android and Chrome, the program has expanded to cover cloud services and open-source software. In 2025, the introduction of artificial intelligence into the VRP marked a new stage, highlighting Google’s priority to secure its technological innovations.
With a total amount of 81.6 million dollars paid over 15 years, the VRP continues to adapt to the needs of digital security. This expansion not only anticipates potential threats but also strengthens user confidence in Google products.
Focus on Artificial Intelligence and Cloud
In 2025, artificial intelligence was highlighted with the creation of a dedicated program, separate from the Abuse VRP. This initiative allows researchers to specifically target vulnerabilities in machine learning models and AI functions, such as those of Gemini. Specific rules and reward scales have been established for each eligible scenario, thus facilitating the work of researchers.
Invitation-only hacking sessions, called bugSWAT, have also contributed to improving security measures. Events organized in cities like Tokyo, Sunnyvale, and Mexico City have allowed exploration of targeted attack surfaces involving AI, Android, and the cloud, generating significant rewards for participants.
Impact of Open Source Tools and AI-Related Challenges
With the introduction of OSV-SCALIBR, Google has strengthened its open-source security strategy. This tool detects vulnerabilities in software dependencies, allowing researchers to actively contribute to improving application security. Bonuses are offered to enhance this tool, encouraging external contributions.
However, the increasing use of artificial intelligence tools to generate bug reports has posed challenges. Cases of false alerts have been reported, such as with the Curl project, where a small portion of the reports turned out to be true. This situation has led some teams, including HackerOne, to temporarily review their submission procedures.
The Future of Cybersecurity and Bug Bounties
With relentless technological advances, cybersecurity remains a priority. Bug bounty programs, such as Google’s, illustrate the importance of collaboration between companies and independent researchers to anticipate and neutralize threats. As technologies evolve, these initiatives will continue to adapt their strategies to meet the challenges of tomorrow, particularly with the rise of AI and the Internet of Things (IoT).
