Google has announced that in 2024, it allocated $11.8 million as part of its Vulnerability Reward Program (VRP), rewarding 660 researchers who helped uncover critical security flaws in the company’s products.
The company has revised its reward structure, increasing the maximum payouts to:
- $151,515 under Google VRP
- $300,000 for critical vulnerabilities in mobile applications
- $250,000 for security flaws discovered in Chrome
- $151,515 for cloud service vulnerabilities
Additionally, Google launched the InternetCTF competition, aimed at identifying vulnerabilities in open-source projects and addressing them through Tsunami plugins.
Changes were also introduced to the payment process—researchers can now receive rewards not only through Google’s standard system but also via the Bugcrowd platform. The Abuse VRP program saw a 40% increase in payouts compared to the previous year, with over 250 newly identified fraud and abuse-related issues, earning researchers more than $290,000 in rewards.
Google also hosted two bugSWAT events in Las Vegas and Málaga, Spain, bringing together some of the brightest minds in cybersecurity. A total of $370,000 was awarded to participants, and the hackathons led to the discovery of critical vulnerabilities in mobile devices and security systems.
The Android and Google Devices Security Program awarded researchers $3.3 million, despite an 8% decline in the number of reports. However, the percentage of critical and high-severity vulnerabilities rose by 2%, highlighting the increased resilience of the Android ecosystem. Special attention in 2024 was given to Android Automotive OS and Wear OS, while at the ESCAL8 conference, researchers identified several memory-related issues over a single weekend, earning over $75,000.
In Chrome security, 2024 saw 337 unique vulnerability reports, leading to payouts totaling $3.4 million. Among the significant achievements was the full implementation of the MiraclePtr mechanism, which rendered numerous previously exploited vulnerabilities ineffective. For the first time, a bounty of $250,128 was introduced for bypassing the MiraclePtr protection mechanism.
The Cloud VRP program, launched in October 2024, marked a new initiative focused on securing Google’s cloud products. Within its first year, more than 400 reports were processed, over 200 unique vulnerabilities were identified, and researchers received over $500,000 in rewards.
Google has also placed a strong emphasis on AI security. During the first year of the Google AI VRP program, more than 150 reports were submitted, resulting in payouts exceeding $55,000. At bugSWAT, researchers uncovered 35 vulnerabilities in generative AI systems, earning them over $87,000.
Since the inception of VRP in 2010, Google has awarded a total of $65 million in rewards. In 2024, the largest single payout reached $110,000. As the company celebrates the 15th anniversary of its Vulnerability Reward Program in 2025, it plans to further expand its initiatives, continue supporting security researchers, and implement new protective mechanisms.
The highest-ever VRP bounty—$605,000—was awarded to researcher gzobqq in 2022 for a chain of five Android exploit vulnerabilities. The same researcher had previously reported another critical Android exploit chain in 2021, earning a $157,000 reward.
