Google paid almost $12 million in bug bounty rewards to 660 security researchers who reported security bugs through the company’s Vulnerability Reward Program (VRP) in 2024.
Among last year’s highlights, the company revamped the VRP’s reward structure, bumping rewards up to a maximum of $151,515, while its Mobile VRP now offers up to $300,000 for critical vulnerabilities in top-tier apps (with a maximum reward reaching $450,000 for exceptional quality reports).
The Cloud VRP increased the top-tier reward amounts by up to five times in July, while Chrome security bug rewards now exceed $250,000.
Last year, Google more than doubled rewards for MiraclePtr bypasses to $250,128 from $100,115 when the MiraclePtr Bypass Reward was launched.
It also launched kvmCTF, a new VRP unveiled in October 2023, aiming to improve the security of the Kernel-based Virtual Machine (KVM) hypervisor, that offers $250,000 bounties for full VM escape exploits.
The company says it awarded $65 million in bug bounties since its first vulnerability reward program went live in 2010, while the highest reward paid last year was over $110,000.
In 2024, Google awarded $3.4 million to 137 Chrome VRP researchers after analyzing 137 reports of valid Chrome security bugs.
The highest bug bounty of 2024 was $100,115 for the report of a MiraclePtr Bypass after MiraclePtr was initially enabled across most platforms in Chrome M115 in 2023.
The company also paid over $3.3 million to researchers who reported security bugs through the company’s Android and Google Devices Security Reward Program and the Google Mobile Vulnerability Reward Program.
“In 2025, we will be celebrating 15 years of VRP at Google, during which we have remained fully committed to fostering collaboration, innovation, and transparency with the security community, and will continue to do so in the future,” Google said.
“Our goal remains to stay ahead of emerging threats, adapt to evolving technologies, and continue to strengthen the security posture of Google’s products and services.”
One year earlier, in 2023, Google awarded $10 million to 632 researchers for finding and responsibly reporting security flaws in its products and services.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
