Security researchers will soon gather in Cork, Ireland, for one of the most anticipated cybersecurity competitions of the year: Pwn2Own 2025. This year’s highlight? A staggering $1 million prize for anyone capable of executing a zero-click remote code execution exploit in WhatsApp.

Organized by Trend Micro’s Zero Day Initiative (ZDI), the competition will run from October 21 to 24 at the company’s Cork office. ZDI clarified that to claim the seven-figure bounty, participants must demonstrate a zero-click vulnerability—one that requires no user interaction and results in code execution. While lesser payouts will be awarded for other forms of WhatsApp exploits, the million-dollar reward sets a new bar for difficulty and impact.

“We launched this WhatsApp challenge last year, but no one took it on. Maybe a million-dollar incentive will do the trick,” said Dustin Childs, ZDI’s head of threat awareness.

Consumer Tech in the Crosshairs

Pwn2Own 2025 is the second time the event is being hosted in Ireland and is focused exclusively on consumer-targeted devices. Participants will compete in eight categories:

• Mobile Phones
• Messaging Platforms
• SOHO (Small Office/Home Office) Devices
• Smart Home Tech
• Network-Attached Storage (NAS)
• Printers
• Surveillance Systems
• Wearable Devices

Meta is headlining the sponsorship this year, with Synology and QNAP also contributing by providing devices and supporting the setup process for the security tests.

Responsible Hacking for a Safer Digital World

The core mission of Pwn2Own remains the same: to incentivize ethical hacking by rewarding researchers who uncover unknown vulnerabilities. All findings are responsibly disclosed to affected vendors, giving them the opportunity to patch the issues. Meanwhile, Trend Micro deploys virtual patches to protect its users until official fixes roll out.

This year’s competition also introduces a USB-based attack vector in the mobile category, raising the stakes even higher. Contestants will test their skills on popular flagship devices like the Samsung Galaxy S25, Google Pixel 9, and Apple iPhone 16.

“In 2024, we paid out over $1 million for 70+ zero-day bugs. We’re eager to see if 2025 breaks that record—especially with such a massive bounty on the table,” added Childs.

Other featured devices include Ubiquiti routers, Nest smart hubs, Amazon and Philips smart home systems, Meta Quest VR headsets, and Ray-Ban Smart Glasses.

The Bigger Picture: Why Zero-Click Exploits Matter

Zero-click vulnerabilities are particularly dangerous because they require no action from the target. This stealth makes them ideal tools for spyware operators, such as NSO Group, infamous for deploying Pegasus malware via such flaws in messaging apps like WhatsApp.

By bringing these threats into the spotlight and encouraging responsible disclosure, Pwn2Own 2025 plays a vital role in making consumer technology more secure. As mobile devices become increasingly central to both personal and professional lives, identifying these hidden risks has never been more critical.

Source: https://www.infosecurity-magazine.com/news/pwn2own-1m-zeroclick-whatsapp