• by Laurie Sullivan , Staff Writer @lauriesullivan, March 10, 2025

Rewards went to 660 security researchers who reported security bugs in Google's products throughout the company from its Vulnerability Reward Program (VRP). The bounties were paid for jobs well done in 2024.

Researchers were based in countries worldwide across all of Google’s programs. The highest reward was $110,000. Google has given away $65 million in rewards since starting this program in 2010.

Artificial intelligence (AI) bug bounties were celebrated in December 2024 during its one-year anniversary of the program, showing the importance of the technology. That year, Google received about 150 reports and rewarded developers with a total of $55,000 for identifying AI bugs. One in six led to important improvements. 

The goal in 2025 is to focus on expanding its scope and sharing additional ways for the research community to contribute. 

Overall, Google made a series of changes last year to improve the bug bounty process. It overhauled its structure by increasing rewards to a maximum of $151,515.

The Mobile VRP, which usually takes place in April if anyone is interested in participating, now offers up to $300,000 for critical vulnerabilities in top-tier apps.

Google’s Cloud VRP has a top-tier award of up $151,515, and Chrome awards now peak at $250,000 for one issue.

The company received 337 reports of unique, valid security bugs in Chrome in 2024, and awarded 137 Chrome VRP researchers $3.4 million in total. The highest single reward of 2024 was $100,115 and was awarded to Mickey for their report of a MiraclePtr Bypass after MiraclePtr was initially enabled across most platforms in Chrome M115 in 2023.

Microsoft also raised rewards for its Copilot (AI) bug bounty program, increasing payouts for moderate severity vulnerabilities.

The company added a larger range of Copilot consumer products and services to the program, including Copilot for Telegram, Copilot for WhatsApp, copilot.microsoft.com, and copilot.ai.

It now also offering incentives of up to $5,000 for reporting moderate vulnerabilities, which can significantly affect the security and reliability of its Copilot products.

The announcement made in February introduced incentives for “moderate severity Copilot cases,” but did not identify the previous rewards payout amount.