Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search

WhatsApp in the crosshairs! At Pwn2Own Ireland 2025, a $1 million prize will be awarded for a zero-click RCE exploit.

Redazione RHC : 1 August 2025 14:15

Trend Micro’s Zero Day Initiative (ZDI) has announced a reward worthy of a zero-day broker!

An unprecedented $1,000,000 reward is being offered to anyone who can develop a zero-click remote code execution (RCE) exploit against WhatsApp during the 2025 edition of Pwn2Own Ireland.

This record-breaking bounty, co-funded by Meta, marks the largest single prize ever offered in the competition’s history and highlights the crucial importance of protecting the world’s most popular messaging platform.

Key points

  1. Record reward of 1 million dollars for a zero-click exploit on WhatsApp
  2. Competition divided into 8 categories; Registration due by October 16, 2025
  3. The increase in the reward from $300,000 to $1,000,000 reflects the growing threat of attacks by nation-states and through the use of spyware.

Rewards for zero-click exploits on WhatsApp

The collaboration between Meta and Pwn2Own Ireland 2025 marks a step change in big tech’s strategy to incentivize research into the most critical vulnerabilities. With over three billion users, WhatsApp is a prime target for nation-state actors and advanced persistent threat (APT) groups, who aim to compromise it without requiring any user interaction.

The increase in the bounty from last year’s $300,000 demonstrates Meta’s growing commitment to proactively preventing the most sophisticated threats. Specifically, the $1 million reward will be reserved for zero-click exploits capable of achieving complete remote code execution.

Smaller rewards will be available for vulnerabilities that require minimal interaction or only lead to privilege escalation, as specified by the organization. This tiered reward system aims to stimulate research across the app’s entire attack surface, from memory corruption bugs to logic flaws in message handling.

Other Competition Categories

Pwn2Own Ireland 2025 will be held in Cork from October 21st to 24th and will include eight categories reflecting the modern threat landscape. In addition to the messaging category, researchers will be able to test their skills in:

  • New USB port attacks on mobile devices, demonstrating proximity attacks even against locked devices;
  • The SOHO Smashup category, which awards $100,000 and 10 “Master of Pwn” points to anyone who can chain together exploits on home network devices within 30 minutes;
  • Smart home devices, QNAP and Synology NAS systems, surveillance devices, and technology Meta wearables, such as Ray-Ban sunglasses and Quest 3/3S headsets.

Each categoryrequires realistic exploits, based on network-exposed attack surfaces, RF vectors, or proximity scenarios.

Registration and Expectations

Registration closes at 5:00 PM (Irish time) on October 16, 2025. The order of demonstrations will be determined by random draw. In its 2024 edition, Pwn2Own Ireland awarded vulnerabilities worth a total of $1,066,625, recognizing over 70 unique zero-day exploits.

With Meta’s strategic partnership and the expansion of the competition categories, Pwn2Own Ireland 2025 promises to showcase the most advanced exploit techniques, strengthening global security through responsible vulnerability disclosure.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli