Google paid $17.1 million for vulnerability reports in 2025
Summary
Google paid out $17.1 million to 747 security researchers in 2025 for identifying vulnerabilities through its Vulnerability Reward Program (VRP). The company also highlighted the program's success in incentivizing bug reporting and improving its security posture.
IFF Assessment
FRIEND
This is good news for defenders as it indicates a proactive approach by a major tech company to incentivize the discovery and reporting of vulnerabilities, ultimately strengthening their security.
Defender Context
This demonstrates the value of bug bounty programs in finding and fixing vulnerabilities before they can be exploited. Defenders should be aware of the types of bugs being reported and consider implementing similar programs or staying updated on common vulnerability disclosures.