HackerOne: Nintendo extends vulnerability bounty program to the Nintendo Switch

Back in December, Nintendo launched a vulnerability bounty program on HackerOne, a well-known vulnerability coordination and bug bounty platform used by Twitter and Dropbox (among many others). At first, users could only report vulnerabilities on the Nintendo 3DS platform (including the New Nintendo 3DS), with Nintendo seemingly not interested in any Wii U vulnerabilities.

But last month, on March 3rd, Nintendo extended that vulnerability bounty program to its latest console: the Nintendo Switch. Here’s some examples of vulnerabilities Nintendo is looking for:


  • System vulnerabilities regarding Nintendo Switch
    • Privilege escalation from userland
    • Kernel takeover
    • ARM® TrustZone® takeover
  • Vulnerabilities regarding Nintendo-published applications for Nintendo Switch
    • Userland takeover


Unsurprisingly, there’s no mention of regions for the Nintendo Switch (unlike the Nintendo 3DS and the New Nintendo 3DS), since the console itself is fully region-free.

Nintendo also made a few minor changes to the bounty program, and now mentions that the company “reserves the right to choose whether or not it will address any reported vulnerabilities”.

As of writing, Nintendo is still not interested in any other vulnerabilities, such as network-related services and the likes, or the Wii U. It looks like Nintendo is truly done with the Wii U as far as Firmware updates go: the last one is from January 2016. It looks like nothing less than a highly critical vulnerability will warrant a new Firmware update for the Wii U.

Also, today, Nintendo rewarded some users for the very first time (most likely related to the new Firmware update for the Nintendo 3DS). But naturally, the company did not disclose the vulnerabilities that were reported, or the amount of the bounty for each user.

Source: Nintendo (HackerOne)



Founder and main writer for Perfectly Nintendo. Tried really hard to find something funny and witty to put here, but had to admit defeat. Also known as Maintenance Guy by some. Twitter: @lite_agent

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.