Cybersecurity researchers from Team Z3 have withdrawn their planned demonstration of a zero-click remote code execution vulnerability in WhatsApp at the Pwn2Own Ireland 2025 hacking competition, opting instead for private coordinated disclosure to Meta.
The high-stakes exploit, which stood to earn a record-breaking $1 million bounty, was one of the most anticipated demonstrations at the three-day event held in Cork, Ireland, from October 21-23.
The withdrawal left on-site spectators and fellow competitors disappointed, as the WhatsApp exploit represented the contest’s crown jewel and potentially the largest single payout in Pwn2Own history.
According to the Zero Day Initiative (ZDI), the event organizers, Team Z3 felt their research was not ready for a live public display.
Despite the absence of a public demonstration, ZDI emphasized the positive security outcome, noting that their analysts would conduct initial assessments before handing over findings to Meta engineers, ensuring a structured response to any validated flaws.
Meta, WhatsApp’s parent company and a co-sponsor of Pwn2Own Ireland alongside Synology and QNAP, expressed continued interest in the findings and reaffirmed their commitment to strengthening the app’s defenses against sophisticated threats.
Zero-click exploits, which require no user interaction to compromise devices, pose particularly severe risks and have been weaponized in past spyware campaigns targeting high-profile individuals.
By facilitating this private disclosure channel, ZDI aims to give Meta up to 90 days post-event to patch issues before public revelation, aligning with ethical hacking norms and responsible disclosure practices.
While the WhatsApp demonstration didn’t materialize, Pwn2Own Ireland 2025 ultimately awarded $1,024,750 in prizes for 73 unique zero-day vulnerabilities discovered across various devices.
Successful exploits targeted the Samsung Galaxy S25 smartphone, Philips Hue Bridge smart home devices, Lexmark and Canon printers, QNAP network-attached storage systems, and Ubiquiti surveillance cameras.
The event showcased the evolving landscape of bug bounties and coordinated disclosures in cybersecurity, with vendors increasingly partnering with security researchers to identify vulnerabilities before malicious actors can exploit them.
The WhatsApp saga serves as a reminder of the hidden risks lurking in ubiquitous communication apps used by three billion people worldwide.
As the cybersecurity community awaits Meta’s response, Team Z3’s decision to prioritize responsible revelation over public spectacle demonstrates the maturity of modern vulnerability research, potentially averting widespread harm to WhatsApp users globally.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
