Meta unveils $4 million bounty program for WhatsApp security research

Meta has expanded its bug bounty program for WhatsApp, announcing new incentives to improve security research on the messaging platform alongside a $4 million award to white hat hackers who discover vulnerabilities.

According to the tech company’s press statement released on Tuesday, WhatsApp is a lucrative target for state-sponsored hackers and commercial spyware developers. Meta said the new initiative seeks to make it easier for security researchers to investigate hacking strategies used specifically on the app messenger.

Meta launches WhatsApp Research Proxy for bug bounty researchers

Meta has introduced a tool called the WhatsApp Research Proxy to help security researchers examine the messaging platform’s network protocol more effectively. Initially available to a select group of long-time bug bounty participants, the company said it helps simplify investigations into WhatsApp’s infrastructure.

The Research Proxy is intended to assist in uncovering vulnerabilities that might otherwise go undetected, and plans to expand access to more researchers over time are underway, leading to its public release in the coming months.

“Our goal is to lower the barrier of entry for academics and other researchers who might not be as familiar with bug bounties to join our program,” a Meta spokesperson said. “WhatsApp clients and server infrastructure are high targets but also among the hardest surfaces to find bugs in.”

Meta issues $25 million in payouts to global bug hunting participation

Meta confirmed that it has already paid $4 million this year for nearly 800 validated reports. Over the past 15 years, the company has awarded more than $25 million to 1,400 researchers from 88 countries, and it received approximately 13,000 submissions from security researchers worldwide.

According to the Facebook and Instagram parent company’s latest blog, academic researchers at the University of Vienna recently reported a novel method for enumerating WhatsApp accounts at scale. 

University of Vienna’s study generated lists of possible phone numbers using open-source tools, and checked if the numbers registered on WhatsApp compiled publicly accessible information. Although the research exceeded the platform’s intended limits, Meta said it provided valuable security flaws it needed to mitigate.

Other bugs were found in an incomplete validation flaw on WhatsApp versions prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83. 

The vulnerabilities could have allowed attackers to process content retrieved from arbitrary URLs on another user’s device. Meta released an operating system-level patch to address CVE-2025-59489, an exploit that could have installed malware on Quest devices to execute arbitrary code on Unity applications.

In its annual Bug Bounty Researcher Conference, security researcher RyotaK won the “Most Impact Award” for identifying bugs from the Quest device vulnerability traced to Unity’s third-party code. The researcher worked with Unity to resolve the issue affecting apps built on Unity 2017.1 and later.

Meta counts legal victory in antitrust US FTC case

Meta’s bug bounty program announcement comes on the heels of a legal win in its antitrust case against the US Federal Trade Commission, as reported by Cryptopolitan on Tuesday. 

The FTC had alleged five years ago that Meta held a monopoly in social networking through Instagram and WhatsApp. In a memorandum opinion, Judge James Boasberg of the US District Court in Washington, DC, said the FTC had failed to prove its case. 

“Whether or not Meta enjoyed monopoly power in the past, though, the agency must show that it continues to hold such power now. The Court’s verdict today determines that the FTC has not done so. A judgment so stating shall issue this day.”

Meta CEO Mark Zuckerberg, former operating chief Sheryl Sandberg, Instagram co-founder Kevin Systrom, and other executives all gave their testimonies earlier this year. The court had dismissed the case in 2021 for lack of evidence, although the FTC filed an amended complaint that year with updated metrics and user data. 

Boasberg allowed the case to proceed in 2022 after a review, but he finally ruled in Meta’s favor this week.

Joe Simonson, the FTC’s director of public affairs, argued that Meta was favored by Judge Boasberg, whom he claimed was “currently facing articles of impeachment.” 

“We are reviewing all our options,” Simonson told reporters after the ruling, insinuating that another appeal could come.

Claim your free seat in an exclusive crypto trading community - limited to 1,000 members.