Nintendo 3DS
3DSNintendo

Nintendo 3DS: Nintendo launches a Bug Bounty Program on HackerOne

Lite_Agent

hackerone is the name of a “vulnerability coordination and bug bounty platform”, that companies can use to hunt for vulnerabilities in their system. Basically, companies ask “hackers” (of the White hat category) to find vulnerabilities, and the first person to correctly report a previously undiscovered vulnerability is rewarded with real money.

As systems get more and more complex, and therefore more and more vulnerable, such a Bounty Program is a way for companies to “crowsource” their security effort, and find exploits/vulnerability they couldn’t find on their own.

And yesterday, Nintendo launched a Bug Bounty Program for the Nintendo 3DS on HackerOne: if you’re interested, you can click here to get more details.

Quite interestingly, Nintendo didn’t launch one for the Wii U, and it’s not clear if there will be one later down the line. Since the company has pretty much given up on the console at this point (the last Firmware update was released in January), this seems rather unlikely. However, it’s highly likely that the Nintendo Switch will be added to that Bounty Program sometime next year.

On the page linked above, Nintendo explain they’re looking to prevent the following on Nintendo 3DS consoles:

  • Piracy, including:
    • Game application dumping
    • Copied game application execution
  • Cheating, including:
    • Game application modification
    • Save data modification
  • Dissemination of inappropriate content to children

And here’s examples of vulnerability they’re looking for:

  • System vulnerabilities regarding the Nintendo 3DS™ family of systems
    • Privilege escalation on ARM11 userland
    • ARM11 kernel takeover
    • ARM9 userland takeover
    • ARM9 kernel takeover
  • Vulnerabilities regarding Nintendo-published applications for the Nintendo 3DS™ family of systems
    • ARM11 userland takeover
  • Hardware vulnerabilities regarding the Nintendo 3DS™ family of systems
    • Low-cost cloning
    • Security key detection via information leaks

As for rewards, Nintendo plans on paying the first reporter of qualifying vulnerability information from $100 to $20 000. Naturally, there’s some restrictions: there is only one reward per qualifying vulnerability information, only Nintendo determines whether said information qualifies, and how the reward amount is calculated will not be disclosed.

Again, you can find more information about the Bug Bounty Program for the Nintendo 3DS on this page!

Lite_Agent

Founder and main writer for Perfectly Nintendo. Tried really hard to find something funny and witty to put here, but had to admit defeat.

Leave a Reply