Article illustration 1

In an unprecedented move for ethical hacking competitions, the Zero Day Initiative (ZDI) has placed a $1 million bounty on zero-click vulnerabilities in WhatsApp—the largest single prize in Pwn2Own history. The target: security flaws allowing remote code execution without any user interaction on Meta's messaging giant, which boasts over three billion global users. This headline-grabbing reward anchors Pwn2Own Ireland 2025 (October 21-24), where Meta joins Synology and QNAP as co-sponsors in a concerted push to harden critical infrastructure.

"They are so excited for it, we're putting up $1,000,000 for a 0-click WhatsApp bug that leads to code execution," ZDI stated, acknowledging last year's unsuccessful attempt to attract researchers to the messaging category. The prize structure includes smaller awards for other WhatsApp exploit chains, signaling heightened industry focus on securing communication platforms against nation-state-level attacks.

Article illustration 2

WhatsApp Pwn2Own awards (ZDI)

The contest dramatically expands its attack surface beyond previous editions:
- Mobile devices now include USB port exploitation as a valid vector, requiring researchers to compromise locked flagship phones (iPhone 16, Galaxy S25, Pixel 9) via physical connections
- Wearable tech targets include Meta's Ray-Ban Smart Glasses and Quest 3/3S headsets
- Eight total categories span printers, NAS systems, surveillance gear, and smart home devices

ZDI's operational model turns research into remediation: Successful exploits trigger a 90-day disclosure embargo, allowing vendors to patch vulnerabilities before public release. Last year's Ireland event saw over 70 zero-days uncovered, with Viettel Cyber Security alone claiming $205,000 for QNAP, Sonos, and Lexmark exploits.

This million-dollar incentive reflects the catastrophic potential of WhatsApp exploits—where a single vulnerability could compromise billions. As surveillance mercenaries increasingly weaponize zero-clicks, Pwn2Own's record bounty represents a strategic investment in crowd-sourced defense, transforming Cork into ground zero for preemptive security innovation.

Source: BleepingComputer