In a groundbreaking move for cybersecurity research, Trend Micro’s Zero Day Initiative (ZDI), with co-sponsorship from Meta, has announced an unprecedented $1 million prize for a successful zero-click exploit targeting WhatsApp at Pwn2Own Ireland 2025. This event, scheduled for October 21–24, 2025, in Cork, Ireland, sets a new record for the highest single bounty offered in the history of the prestigious hacking contest.
The $1 million reward focuses on one of the most critical vulnerabilities in messaging security: remote code execution attacks that require no user interaction. A zero-click exploit allows an attacker to fully compromise a device simply by sending a specially crafted message to WhatsApp—without any action required by the recipient. Due to WhatsApp’s immense global reach, with over three billion users, such vulnerabilities represent a serious risk to privacy and security worldwide.
Meta’s active involvement as a sponsor highlights the company’s commitment to incentivizing cutting-edge security research and proactively addressing the most severe threats to its user base. The initiative aims to attract some of the world’s best security researchers to uncover weaknesses before they can be abused by malicious actors.
Participants who successfully demonstrate a qualifying exploit at Pwn2Own must provide Meta with comprehensive technical documentation of their discovery. According to the contest guidelines, Meta will have 90 days to patch the vulnerability before any details are disclosed to the public, ensuring users remain protected while the company implements fixes.
The competition will also cover a range of other targets, including popular mobile devices such as the iPhone 16 Pro and Samsung Galaxy S24, with additional cash awards ranging from $50,000 to $300,000 for other categories of vulnerabilities. However, the million-dollar WhatsApp challenge stands out for both its size and its implications for global communications security.
Historically, Pwn2Own has awarded significant sums for discovering high-impact zero-day vulnerabilities across various platforms, underscoring the escalating stakes in the cybersecurity landscape. Notably, no successful zero-click WhatsApp exploit was demonstrated at the previous Pwn2Own event—a testament to its difficulty and the rationale behind the extraordinary bounty now on offer.
