During the Pwn2Own Ireland 2025 hacking competition, held in Cork from October 21 to 23, cybersecurity researchers from Team Z3 withdrew their planned demonstration of a zero-click remote code execution vulnerability in WhatsApp, opting instead to report it privately to Meta through a coordinated disclosure. The withdrawal surprised attendees and fellow competitors, as the exploit could have earned Team Z3 the largest single payout in Pwn2Own history with a record-breaking $1 million bounty. This substantial reward reflected the critical nature of zero-click vulnerabilities in an application used by three billion people worldwide. Private Disclosure Chosen Over Public Demonstration According to the Zero Day Initiative (ZDI), which organizes Pwn2Own, Team Z3 determined their research wasn’t ready for a live public demonstration. Despite the withdrawal, ZDI emphasized the positive outcome of this decision, stating that their analysts would conduct initial assessments before transferring the findings to Meta’s engineering team. This approach ensures a structured response to the vulnerability while protecting WhatsApp’s massive user base from potential exploitation. The private disclosure aligns with ethical hacking standards that prioritize user safety over public spectacle. Meta, WhatsApp’s parent company and a co-sponsor of Pwn2Own Ireland alongside Synology and QNAP, expressed continued interest in Team Z3’s
Read More
Pwn2Own Hackers Privately Report WhatsApp Zero-Click Vulnerability to Meta

Pwn2Own Hackers Privately Report WhatsApp Zero-Click Vulnerability to Meta