$1,000,000 for Hacking WhatsApp?! The Vulnerability Hunt Is On
Hackers are already diving deep into the code — who will claim the grand prize?
Hackers are already diving deep into the code — who will claim the grand prize?
The organizers of the prestigious hacking competition Pwn2Own have announced a record-breaking reward that has immediately captured the attention of the entire cybersecurity community: $1,000,000 for demonstrating a zero-click vulnerability in WhatsApp. This is the largest prize in the competition's history — and it’s for an exploit that requires no user interaction whatsoever. With WhatsApp’s user base exceeding three billion people, the potential impact of such a vulnerability could be enormous.
Pwn2Own Ireland 2025 will take place from October 21 to 24 in Cork, Ireland. This year’s main sponsors include Meta, along with hardware vendors Synology and QNAP. According to the organizers at the Zero Day Initiative (ZDI), WhatsApp was already included in last year’s program, but no one attempted an attack back then. Now, with seven figures on the line, researchers might be far more motivated to take a shot.
In addition to the top prize, smaller — yet still significant — rewards are available for other WhatsApp-related exploits. The overall Pwn2Own program spans eight categories, including:
- Smartphones
- Messaging apps
- Routers & smart home devices
- Printers
- Network storage systems
- Surveillance cameras
- Wearables
Devices being tested include Ray-Ban Smart Glasses, Meta Quest 3/3S headsets, and flagship smartphones like the Samsung Galaxy S25, Google Pixel 9, and iPhone 16.
An interesting addition this year is the expanded attack surface for mobile devices. Alongside wireless vectors like Wi-Fi, Bluetooth, and NFC, participants can now use USB-based attacks — meaning they can connect to locked smartphones directly and attempt physical-interface exploits, not just network-based ones.
Applications for participation are open until October 16, with presentation slots to be assigned by random draw. As usual, all discovered vulnerabilities will be reported to vendors, who will have 90 days to patch them before any technical details are made public — a rule that helps ensure security flaws are fixed before they can be exploited in the wild.
At last year’s event in Ireland, participants earned over $1 million for discovering more than 70 unique 0-day vulnerabilities. The largest single payout — $205,000 — went to Viettel Cyber Security for exploits targeting QNAP storage, Sonos speakers, and Lexmark printers. Now, with WhatsApp’s million-dollar bounty, the stakes — and potential winnings — are higher than ever.
