Meta has paid out $4 million through its bug bounty program in 2025, which brings the total awarded by the social media giant since the creation of the program to more than $25 million.
Meta has received roughly 13,000 vulnerability reports this year and 800 of them have been rewarded.
Three reports have been highlighted by the company. One referred to CVE-2025-59489, a Unity vulnerability that prompted action from both Microsoft and Steam. In the case of Meta, it could have allowed malicious applications installed on Quest VR headsets to manipulate Unity applications and execute arbitrary code.
Another report highlighted by Meta was submitted by researchers from the University of Vienna, who described a method for enumerating WhatsApp accounts at scale.
The researchers used open source tools to generate possible phone numbers, verified whether they are associated with WhatsApp accounts, and compiled publicly accessible information.
Another bug report targeting WhatsApp came from a Meta analyst, who found an incomplete validation issue that could have been exploited to trigger the processing of content from an arbitrary URL on a user’s device.
The company says WhatsApp clients and server infrastructure are important targets, but it’s not easy to find vulnerabilities. In response to feedback from researchers, Meta has decided to create a tool that should make it easier to research WhatsApp-specific technologies.
This tool, called WhatsApp Research Proxy, is designed for analyzing the messaging application’s network protocol. The tool is currently only available to some long-time bug bounty hunters. More researchers will later be invited to test the tool, and the ultimate goal is to make it available to everyone.
Related: Apple Bug Bounty Update: Top Payout $2 Million, $35 Million Paid to Date
Related: Google Paid Out $12 Million via Bug Bounty Programs in 2024
Related: Google Offers Up to $20,000 in New AI Bug Bounty Program
Related: Microsoft Boosts .NET Bounty Program Rewards to $40,000
