Google paid $17.1 million for vulnerability reports in 2025
Google paid over $17 million to 747 security researchers who reported security bugs through its Vulnerability Reward Program (VRP) in 2025. [...]
Reward-related cybersecurity coverage examines bug bounties, vulnerability disclosure incentives, and how compensation can influence reporting and risk.
Search across headline titles and summaries.
Background for this topic.
Reward in information security usually means compensation offered for finding and responsibly reporting a vulnerability, commonly through a bug bounty or vulnerability disclosure program. Payment may depend on severity, exploitability, affected assets, report quality, and whether the issue is previously known. Some programs also reward information that helps identify active abuse or improve defenses, but the intended activity and eligibility should be explicitly defined.
Rewards can extend defensive testing beyond an organization’s internal teams, but they require clear scope, reporting channels, response targets, and rules for handling sensitive data. Without these controls, researchers may test unauthorized systems, expose personal information in proof-of-concept material, submit duplicates or invalid findings, or dispute inconsistent decisions. Security teams should connect accepted reports to vulnerability management: validate and prioritize findings, track remediation, communicate disclosure decisions, and preserve evidence. Program metrics such as response time, remediation time, and recurring vulnerability classes can show whether incentives are improving security rather than merely increasing report volume.
Weekly headline count for the current query.
Google paid over $17 million to 747 security researchers who reported security bugs through its Vulnerability Reward Program (VRP) in 2025. [...]
Dutch authorities arrested a 40-year-old man after he downloaded confidential documents that had been mistakenly shared by the police and refused to delete them unless he received "something in return." [...]
Apple is announcing a major expansion and redesign of its bug bounty program, doubling maximum payouts, adding new research categories, and introducing a more transparent reward structure. [...]
This week, Google has launched an AI Vulnerability Reward Program dedicated to security researchers who find and report flaws in the company's AI systems. [...]
The U.S. Department of State is offering a reward of up to $10 million for information on three Russian Federal Security Service (FSB) officers involved in cyberattacks targeting U.S. critical infrastructure organizations on behalf of the Russian government. [...]
Europol has confirmed that a Telegram channel impersonating the agency and offering a $50,000 reward for information on two Qilin ransomware administrators is fake. The impostor later admitted it was created to troll researchers and journalists. [...]
The Zero Day Initiative is offering a $1 million reward to security researchers who will demonstrate a zero-click WhatsApp exploit at its upcoming Pwn2Own Ireland 2025 hacking contest. [...]
The U.S. Department of State has announced a reward of up to $10 million for any information on government-sponsored hackers with ties to the RedLine infostealer malware operation and its suspected creator, Russian national Maxim Alexandrovich Rudometov. [...]
Thousands tricked by fake reward & toll scam texts. CTM360 exposes PointyPhish & TollShark—SMS phishing campaigns powered by the Darcula PhaaS platform, with 5K+ domains stealing payment info worldwide. [...]
Google paid almost $12 million in bug bounty rewards to 660 security researchers who reported security bugs through the company's Vulnerability Reward Program (VRP) in 2024. [...]
The U.S. State Department is offering a reward of up to $5 million for information that could help disrupt the activities of North Korean front companies and employees generating millions via illegal remote IT work schemes. [...]
The U.S. Department of State and the Secret Service have announced a reward of $2,500,000 for information leading to Belarusian national Volodymyr Kadariya (Владимир Кадария) for cybercrime activities. [...]
Google has more than doubled payouts for Google Chrome security flaws reported through its Vulnerability Reward Program, with the maximum possible reward for a single bug now exceeding $250,000. [...]
Google has launched kvmCTF, a new vulnerability reward program (VRP) first announced in October 2023 to improve the security of the Kernel-based Virtual Machine (KVM) hypervisor that comes with $250,000 bounties for full VM escape exploits. [...]
The U.S. indicted Russian national Amin Timovich Stigal for his alleged role in cyberattacks targeting Ukrainian government computer networks in an operation from the Russian foreign military intelligence agency (GRU) prior to invading the country. [...]
Cyberespionage groups have been using ransomware as a tactic to make attack attribution more challenging, distract defenders, or for a financial reward as a secondary goal to data theft. [...]
After many months of taunting law enforcement and offering a million-dollar reward to anyone who could reveal his identity, the FBI and NCA have done just that, revealing the name of LockBitSupp, the operator of the LockBit ransomware operation. [...]
Google has increased rewards for reporting remote code execution vulnerabilities within select Android apps by ten times, from $30,000 to $300,000, with the maximum reward reaching $450,000 for exceptional quality reports. [...]
Google announced today that bug bounty hunters who report sandbox escape chain exploits targeting its Chrome web browser are now eligible for triple the standard reward until December 1st, 2023. [...]
LayerZero Labs has launched a bug bounty on the Immunefi platform that offers a maximum reward of $15 million for critical smart contract and blockchain vulnerabilities, a figure that sets a new record in the crypto space. [...]