Trend Micro’s Zero Day Initiative (ZDI) has unveiled a historic $1,000,000 reward for a zero-click remote code execution (RCE) exploit targeting WhatsApp. The prize will be awarded during the upcoming Pwn2Own Ireland 2025 competition, marking the highest single payout in the event’s history.
Co-sponsored by Meta, Synology, and QNAP, this unprecedented bounty highlights the growing urgency around securing WhatsApp—the world’s most widely used messaging app with over three billion users.
Key Highlights
- $1 million reward for WhatsApp zero-click RCE exploit
- Eight competition categories
- Registration deadline: October 16, 2025
- Prize increase from $300K reflects growing concerns over nation-state threats
Meta’s Push for Proactive Security
Meta’s collaboration with Pwn2Own marks a shift in how major tech companies incentivize security research. With the rising threat of zero-click exploits used by nation-state and APT (Advanced Persistent Threat) actors, this year’s bounty for WhatsApp vulnerabilities has more than tripled compared to the previous $300,000 offer.
“we’re excited to announce that Meta is co-sponsoring this year’s event, and they are hoping to see some great WhatsApp exploits.” reads the ZDI’s announcement. “They are so excited for it, we’re putting up $1,000,000 for a 0-click WhatsApp bug that leads to code execution.”
The new $1 million prize targets the most dangerous class of bugs—those requiring no user interaction and enabling full remote code execution. Additional reward tiers are available for other exploit types, including those that require limited user interaction or lead to privilege escalation rather than full compromise.
Broad Attack Surface, Tiered Incentives
ZDI’s tiered reward structure encourages researchers to investigate the entire WhatsApp attack surface—from memory corruption to logic flaws in message handling. These rewards aim to bring responsible disclosure to the forefront and help secure billions of users worldwide.
Expanded Contest Categories
Set for October 21–24, 2025 in Cork, Ireland, Pwn2Own will feature eight distinct categories. In addition to messaging apps, the contest includes:
- Mobile phones
- Messaging apps
- Home networking gear
- Smart home devices
- Printers
- Network-attached storage (NAS)
- Surveillance systems
- Wearable tech
Devices in scope include Meta’s Ray-Ban Smart Glasses, Quest 3/3S headsets, Samsung Galaxy S25, Google Pixel 9, and the upcoming iPhone 16.
ZDI has expanded the attack vectors for mobile devices. In addition to traditional wireless protocols like Wi-Fi, Bluetooth, and NFC, this year introduces USB-based exploits, requiring participants to hack into locked phones via physical connections.
Deadline & Expectations
Registration closes on October 16 at 5:00 p.m. Irish Standard Time, with presentation order decided by random draw. The Pwn2Own event is designed to uncover and responsibly disclose vulnerabilities before they can be exploited by threat actors. Vendors have 90 days to issue patches after an exploit is demonstrated before the ZDI publicly releases the details.
Last year, Pwn2Own awarded $1,066,625 for more than 70 unique zero-day vulnerabilities. With Meta’s enhanced backing and expanded targets, this year’s event is expected to push the boundaries of offensive research while promoting responsible vulnerability disclosure.
Read the rules for entering Pwn2Own Ireland 2025 HERE
Read Trend Micro’s Zero Day Initiative (ZDI) announcement HERE
