TLDR
- Meta has expanded its bug bounty program focused on improving WhatsApp security.
- The company introduced a new tool, WhatsApp Research Proxy, to support vulnerability research.
- Meta awarded $4 million this year for nearly 800 verified security reports submitted by researchers.
- Researchers at the University of Vienna identified a new method for enumerating WhatsApp accounts at scale.
- Meta patched multiple vulnerabilities in WhatsApp versions for Android, iOS, and Mac.
- The company released a fix for a Quest device exploit linked to Unity applications.
Meta has launched new security initiatives for WhatsApp, offering $4 million to researchers who uncover platform vulnerabilities. The company introduced a tool called the WhatsApp Research Proxy to support investigations into its messaging protocol. This move aims to expand participation in its bug bounty program and improve WhatsApp’s defenses.
Meta Targets WhatsApp Security With New Research Tool
Meta confirmed WhatsApp faces threats from both state-backed attackers and spyware vendors targeting user data on the platform. Therefore, the company introduced the WhatsApp Research Proxy to improve network protocol analysis for security researchers. The tool initially launched for trusted bug bounty contributors but will reach more researchers soon.
The Research Proxy supports researchers by simulating WhatsApp’s server environment to test vulnerabilities and hacking strategies. Meta explained that understanding WhatsApp’s protocol has always been difficult for those outside the company’s internal teams. However, this tool lowers the complexity, allowing more researchers to contribute effectively.
“We want to lower the entry barrier for researchers not familiar with our infrastructure,” a Meta spokesperson stated. Meta said its security team will continue evaluating access requests to the proxy tool. The company plans a broader release over the next few months for public use.
Meta confirmed it awarded $4 million this year for 798 verified bug reports submitted through its bug bounty program. The company received 13,000 global submissions and awarded researchers from 88 countries during this period. In total, Meta has paid over $25 million since launching the program 15 years ago.
The tech firm highlighted a recent study by researchers from the University of Vienna that revealed a new enumeration technique. This research generated possible phone numbers and verified their presence on WhatsApp, exposing privacy concerns. Meta acknowledged that the method bypassed platform limits but still offered value in improving protections.
In response, Meta addressed the issue by tightening rate limits and improving detection of unusual enumeration behavior across devices. The company emphasized it continues to prioritize privacy protections and rapid response to reports. Meta said new research submissions using creative tools will remain welcome under the expanded program.
New Vulnerabilities and Patches Rolled Out for WhatsApp and Quest
Meta also addressed several bugs affecting WhatsApp, WhatsApp Business, and WhatsApp for Mac in versions before v2.25.23.73. These flaws allowed malicious actors to retrieve content from unsafe URLs on users’ devices without consent. Meta patched the vulnerabilities and published updates to prevent remote code execution.
Meta also fixed CVE-2025-59489, a bug that targeted Meta Quest devices through Unity-based applications. The flaw let attackers run malware using Unity’s third-party code libraries. Meta worked with Unity to close the gap across all affected Unity versions starting from 2017.1.
Researcher RyotaK won Meta’s “Most Impact Award” at the Bug Bounty Researcher Conference for identifying the Quest device vulnerability. Meta confirmed that the exploit involved third-party dependencies that affected multiple apps across the ecosystem. The company urged developers to update Unity libraries to avoid similar issues.
Meta Wins FTC Antitrust Case as Security Program Expands
Meta’s announcement came after a legal victory against the US Federal Trade Commission regarding monopoly claims around Instagram and WhatsApp. A Washington, D.C., judge ruled that the FTC failed to prove that Meta still holds market dominance in social networking. The judge dismissed the case, ending a five-year legal effort.
Judge James Boasberg stated, “The FTC has not done so,” in reference to proving ongoing monopoly control. Meta executives, including Mark Zuckerberg and Kevin Systrom testified during the trial earlier this year. The court found the FTC’s amended complaint insufficient despite new metrics and user data.
The FTC responded through its director of public affairs, Joe Simonson, who said the agency is considering an appeal. Simonson claimed that Judge Boasberg currently faces “articles of impeachment” and questioned the fairness of the decision. However, Meta has not commented on the allegations and said it is focused on ongoing security efforts.
Meta said its security teams will continue working with researchers to improve protections across all products, including WhatsApp. The expanded bug bounty scope now includes client-server vulnerabilities, network layers, and third-party components. Meta said more announcements on bug bounty developments will follow before the end of the year.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
