Google Awards $458,000 in Bug Bounties and Expands AI Security Efforts at bugSWAT 2025

Google has announced that it awarded $458,000 in bug bounty rewards during its annual bugSWAT hacking event, held alongside the ESCAL8 cybersecurity conference in New Mexico. The three-day event brought together 38 top bug hunters from around the world for a combination of live hacking sessions, AI security challenges, and technical training focused on improving the resilience of Google’s platforms.

Participants submitted 107 verified vulnerability reports across Google’s ecosystem, including Android, Google Cloud, and emerging AI services. The initiative continues Google’s long-running commitment to the security researcher community through its Vulnerability Reward Program (VRP).

Expanding Into AI Vulnerability Discovery

One of the major announcements at this year’s event was the introduction of Google’s AI Vulnerability Reward Program (AI VRP) — a new framework designed to incentivize security research in artificial intelligence systems.

The program offers rewards of up to $20,000 for vulnerabilities that can lead to account compromise, data manipulation, or unauthorized access through AI-driven features. It builds on Google’s 2023 Abuse VRP, which first extended bug bounty coverage to AI misuse scenarios.

However, the AI VRP explicitly excludes issues like prompt injection, jailbreaks, and alignment flaws, which Google continues to handle through in-product reporting mechanisms. This distinction reflects a growing recognition that AI security challenges differ significantly from traditional software vulnerabilities, requiring dedicated evaluation frameworks.

Training, Collaboration, and Next-Generation Security Talent

In addition to professional hacking sessions, ESCAL8 featured init.g(mexico) — a two-day cybersecurity training program for university students. More than 60 students from local universities participated in workshops and lectures on web exploitation, cryptography, and offensive security techniques.

Google stated that the goal of the initiative is to inspire new cybersecurity talent, particularly from underrepresented backgrounds, and to provide early exposure to real-world hacking scenarios.

The conference also hosted Hackceler8, Google’s competitive capture-the-flag (CTF) event. Eight finalist teams were invited to the in-person finals after qualifying from a pool of over 250 online teams, solving creative, visually designed security puzzles that mirrored real-world attack vectors.

Building a Safer AI Future Through Community Collaboration

By combining live security testing, AI-focused research incentives, and educational outreach, Google’s bugSWAT and ESCAL8 events highlight a broader strategic shift — treating cybersecurity as a collaborative ecosystem rather than an isolated discipline.

As AI continues to integrate deeply into core products and services, Google’s approach underscores a key message: the future of digital safety depends on proactive collaboration between researchers, engineers, and the next generation of security professionals.