Security researchers attending the upcoming Pwn2Own competition in Cork have the chance to win $1m if they can find a high-impact exploit in WhatsApp.
The competition organizers, Trend Micro’s Zero Day Initiative (ZDI), explained late last week that only zero-click vulnerabilities that lead to code execution would be considered for the six-figure cash prize, although smaller awards will be available for other WhatsApp exploits.
“We introduced this category last year, but no one attempted it. Perhaps a number with two commas will provide the needed motivation,” said ZDI head of threat awareness, Dustin Childs.
The upcoming event, which will take place in Trend Micro’s Cork office from October 21 to 24, is the second time the competition will be held in Ireland. It is focused on consumer products, with eight categories selected:
- Mobile phones
- Messaging
- The SOHO Smashup
- Smart home devices
- Printers
- NAS devices
- Surveillance system devices
- Wearables
Meta is the main sponsor of the event this year, with Synology and QNAP also putting money into the competition, as well as helping to set up and configure devices for contestants to probe for bugs.
Read more on Pwn2Own: Researchers Discover Over 70 Zero-Day Bugs at Pwn2Own Ireland
As always, the idea is to incentivize some of the world’s most talented security researchers to find exploits in a range of products. This information will then be responsibly disclosed for the relevant vendors to fix, while enabling Trend Micro to protect customers with virtual patches until a full update is available.
“We’ve tweaked the mobile category a bit by adding a new USB attack vector for the phones. Hopefully, we’ll see some interesting research come in demonstrating what could happen if a threat actor has physical access to your device,” said Childs.
“Last year, we awarded $1,066,625 for over 70 unique zero-day vulnerabilities at the contest. We can’t wait to see if 2025 tops that number – especially with a million-dollar bounty on the table.”
Mobile handsets will sit at the “heart of this event,” with contestants able to hack a Samsung Galaxy S25, Google Pixel 9 and an Apple iPhone 16.
Other products in the competition will include QNAP, Ubiquiti and Nest SOHO devices, Amazon, Philips and Sonos smart home devices, Meta Quest headsets and Ray-Ban Smart Glasses.
Zero-click WhatsApp exploits are often discovered and monetized by commercial spyware companies like NSO Group, which used it to deliver its notorious Pegasus malware.
Image credit: Diego Thomazini / Shutterstock.com
No tags.
