Google bug bounty payments hit nearly $12 million in 2024

Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration

(Image credit: Shutterstock / ArtemisDiana)

Google bug bounties see 660 researchers get a share of $11.8 million in 2024
Chrome and Android VRPs were lucrative
Google’s VRP program turns 15 next year

Google has revealed it paid out $11.8 million in bug bounties in 2024, with payments going out to 660 security researchers, equating to a theoretical average of around $18,000 each.

Its highest payout in 2024 was $110,000, with its total payout to date now standing at $65 million since 2010.

Chrome researchers and those revealing vulnerabilities in Android and other Google Devices accounted for around half of 2024’s payouts, marking the company’s commitment to security within its most popular devices.

Google paid out $12 million in bug bounties last year

Some changes to the structures last year resulted in higher payout potentials, with the Google VRP now paying out up to $151,515, $300,000 for the Mobile VRP, $151,515 for the Cloud VRP and $250,000 for Chrome awards.

In a blog post, Google's Dirk Göhmann said researchers contributing to the Android and Google Devices Security Reward Program and the Google Mobile Vulnerability Reward Program got over $3.3 million in rewards in 2024, adding that 8% fewer reports were logged. However, the company did see a minor 2% increase in critical and high vulnerabilities.

A total of 337 unique reports were made to the Chrome VRP – 137 received rewards totalling an additional $3.4 million.

Google also celebrated the launch of a new category – 2024 was its first full year of AI bug bounties, but payouts remained relatively low, at $55,000.

Other successes include two bugSWAT events and four init.g workshops to support the next generation of security researchers.

Looking ahead, Göhmann noted the company will be celebrating 15 years of VRP in 2025 – it’s unclear whether any changes will be made to its VRPs to commemorate this milestone.

Göhmann added: “We want to send a huge thank you to our bug hunter community for helping us make Google products and platforms more safe and secure for our users around the world – and invite researchers not yet engaged with the Vulnerability Reward Program to join us in our mission to keep Google safe!”

We’ve listed the best malware removal
Google paid out over $10 million in bug bounties last year
Fancy an upgrade? Check out the best laptops for programmers

TOPICS

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!