WhatsApp and Meta pay hackers 4 million dollars for finding security flaws in 2025

Meta says it has paid security researchers 4 million dollars so far in 2025 for uncovering vulnerabilities in WhatsApp and its other services, as the company marks the fifteenth anniversary of its bug bounty program.

The program rewards ethical hackers who report software and infrastructure weaknesses before cybercriminals can exploit them. According to Meta, more than 25 million dollars has been paid out since the scheme began, with 1,400 researchers from 88 countries receiving awards over the years. Several standout participants have since been hired into Meta’s own security and engineering teams.

Bug bounty programs are now a standard part of security strategy for major technology firms, and the figures highlight how heavily Meta relies on external researchers to help keep Facebook, WhatsApp and its wider platforms secure.

New tools for WhatsApp security research

Meta says WhatsApp remains one of its highest value targets for attackers and one of the hardest environments in which to find exploitable flaws. To help trusted researchers probe the service more effectively, the company has developed a specialist tool called the WhatsApp Research Proxy.

The proxy gives security researchers a controlled way to study WhatsApp’s network protocol and behaviour. For now, access is restricted to a small group of long standing bug bounty contributors, but Meta plans to invite more participants and eventually release the tool publicly once it is satisfied with its robustness.

Thousands of reports, hundreds of payouts

In 2025 so far, Meta has received about 13,000 vulnerability reports through its bug bounty channels. Around 800 of those reports were accepted as valid and rewarded with cash payments, the company says.

Meta highlighted two WhatsApp related findings as especially significant, both of which have already been fixed.

In one case, academic researchers at the University of Vienna found a way to identify WhatsApp accounts at scale. By using open source tools to generate large lists of possible phone numbers and then checking which ones were registered on WhatsApp, they were able to compile basic profile information in a way that went beyond what Meta intended to be easily collected.

In another case, an internal bug bounty analyst at Meta, while testing the new WhatsApp Research Proxy, discovered a validation weakness affecting rich response messages. The flaw impacted certain versions of WhatsApp, WhatsApp Business for iOS, and WhatsApp for Mac. If left unpatched, it could have allowed one user to trigger the processing of content from an arbitrary web address on another user’s device. Meta says the issue was fixed before there was any sign of real world exploitation.

Ethical hacking as frontline defence

The latest payout figures underline the growing importance of ethical hacking in defending large platforms that serve billions of users. While cybercriminal intrusions continue to dominate headlines, companies like Meta are quietly channelling millions of dollars into programs that turn independent hackers into part of their security pipeline.

For users of WhatsApp and Meta’s other services, the message is that many vulnerabilities are being caught and fixed before attackers can weaponise them, although no system can be guaranteed perfectly secure. For researchers, the numbers show there is still strong financial and professional incentive to report bugs responsibly, rather than selling them on the black market.

Photo Credit: DepositPhotos.com