Pwn2Own Offers $1m for Zero-Click WhatsApp Exploit
Security researchers attending the upcoming Pwn2Own competition in Cork have a unique opportunity to win a life-changing prize of $1 million. The coveted award is up for grabs if they can successfully find and exploit a zero-click vulnerability in WhatsApp, a popular messaging app used by millions worldwide.
The competition organizers, Trend Micro's Zero Day Initiative (ZDI), revealed the details last week, sparking excitement among security enthusiasts. According to ZDI head of threat awareness, Dustin Childs, only zero-click vulnerabilities that lead to code execution will be considered for the six-figure cash prize. Smaller awards will be available for other WhatsApp exploits.
"We introduced this category last year, but no one attempted it," said Childs, hinting at the substantial motivation needed to take on this challenge. "Perhaps a number with two commas will provide the needed motivation." Last year's competition saw $1,066,625 awarded for over 70 unique zero-day vulnerabilities.
The upcoming event, which will take place in Trend Micro's Cork office from October 21 to 24, is the second time the competition will be held in Ireland. This year's focus is on consumer products, with eight categories selected: Meta is the main sponsor of the event this year, while Synology and QNAP also put money into the competition, as well as helping set up and configure devices for contestants to probe for bugs.
Other participating vendors include Amazon, Philips, Sonos smart home devices, Meta Quest headsets, and Ray-Ban Smart Glasses. Mobile handsets will sit at the "heart of this event," with contestants able to hack a Samsung Galaxy S25, Google Pixel 9, and an Apple iPhone 16.
According to Childs, mobile handsets will be the focus of this year's competition, with a new USB attack vector added for the phones. The goal is to incentivize some of the world's most talented security researchers to find exploits in a range of products. This information will then be responsibly disclosed for the relevant vendors to fix, while enabling Trend Micro to protect customers with virtual patches until a full update is available.
"We've tweaked the mobile category a bit by adding a new USB attack vector for the phones," said Childs. "Hopefully, we'll see some interesting research come in demonstrating what could happen if a threat actor has physical access to your device." Last year's competition saw a record-breaking $1,066,625 awarded for over 70 unique zero-day vulnerabilities, leaving many wondering if this year's event will top that number.
Zero-click WhatsApp exploits are often discovered and monetized by commercial spyware companies like NSO Group, which used it to deliver its notorious Pegasus malware. With the $1 million bounty on the table, security researchers have the chance to make a significant impact and take home a life-changing prize.