Good news, Nintendo joins the club of the “bug bounty program,” companies that decide to exploit this mechanism to involve ethical hacking communities.
The company is the last in order of time to adopt a similar strategy, HackerOne already hosts bug bounty program launched by Kaspersky, Qualcomm, Uber, and also the “Hack the Army” promoted by the U.S. Army.
The bug bounty program has been hosted on the HackerOne platform, in this phase is it limited to 3DS consoles as explained by the giant.
“Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo’s platforms.” reads the announcement published on HackerOne. “Currently, in the context of the HackerOne program, Nintendo is only interested in vulnerability information regarding the Nintendo 3DS™ family of systems and is not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information.”
The company will pay for 3DS vulnerabilities that allow to take over the console or a privilege escalation on ARM11 and ARM 9 processors.
Nintendo aims to prevent illegal activities such as piracy, cheating, and dissemination of inappropriate content to children.
The giant is willing to pay also hardware vulnerabilities regarding the Nintendo 3DS family of systems, including low-cost cloning and security key detection via information leaks.
Nintendo will pay rewards from $100 USD to $20,000 USD, of course, it will determine at its discretion whether a flaw has to be rewarded. The company doesn’t provide details on the process of evaluation for each flaw.
“A report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better),” continues Nintendo. “If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three weeks of the initial report) and it will be considered to be a part of the report.”
Nintendo intends to prohibit hackers from disclosing vulnerability information even after a patch becomes available.
(Security Affairs – Bug bounty program, Nintendo)