The $1M Zero-Click Challenge: Pwn2Own Offers Record-Breaking Bounty for a WhatsApp Exploit
The organizers of the world’s premier hacking competition, Pwn2Own, have announced a reward that has instantly shifted the industry’s spotlight: a staggering $1 million will be awarded for the successful demonstration of a full-fledged zero-click vulnerability in WhatsApp. This unprecedented prize marks the highest single payout in the contest’s history—offered for an exploit requiring no interaction whatsoever from the user. Given WhatsApp’s global user base of over three billion, the implications of such a flaw could be monumental.
Pwn2Own Ireland 2025 is scheduled to take place from October 21 to 24 in the city of Cork. This year’s primary sponsors include Meta, along with hardware manufacturers Synology and QNAP. According to the Zero Day Initiative, which organizes the event, WhatsApp was added to the competition roster last year, though no participant dared to target it. Now, with a million-dollar incentive on the table, that hesitation may well give way to ambition.
In addition to the grand prize, the contest offers other substantial rewards for WhatsApp exploits of lesser impact. Pwn2Own’s broader program spans eight categories, encompassing smartphones, communication apps, routers and smart home devices, printers, storage systems, surveillance cameras, and wearable technology. Among the devices to be tested are Ray-Ban Smart Glasses and Meta’s Quest 3/3S VR headsets, as well as flagship smartphones like the Samsung Galaxy S25, Google Pixel 9, and iPhone 16.
An intriguing enhancement to this year’s mobile category is the expansion of allowed attack vectors. In addition to wireless channels—Wi-Fi, Bluetooth, and NFC—attacks via USB are now permitted. This means participants can connect directly to locked smartphones through a physical interface, rather than relying solely on network-based exploits.
Applications to participate are open until October 16, and the presentation order will be determined by random draw. As always, any discovered vulnerabilities will be responsibly disclosed to the respective vendors, who will have a 90-day window to issue patches before the technical details are made public. This rule remains a cornerstone of the competition, ensuring that critical flaws are addressed before they can be weaponized.
Last year’s Irish edition of Pwn2Own awarded over $1 million in total, recognizing more than 70 unique zero-day vulnerabilities. The highest single payout went to Viettel Cyber Security—$205,000 for exploits targeting QNAP storage devices, Sonos speakers, and Lexmark printers. Now, with the million-dollar bounty for a WhatsApp exploit, the stakes—and the scale of possible triumphs—have never been higher.
