Nintendo is offering rewards of USD$100 to USD$20,000 in return for detailed reports of vulnerabilities found in 3DS systems via HackerOne, a “vulnerability coordination and bug bounty platform” based in San Francisco.
“Nintendo is only interested in vulnerability information regarding the Nintendo 3DS™ family of systems and is not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information,” reads the company’s HackerOne page, in a desperate plea to please stay away from its other higher-risk systems.
The practice of offering rewards for discovered vulnerabilities isn’t a new one. The first company credited with the idea was Netscape, which developed its program thanks to the efforts of technical support engineer Jarret Ridlinghafer. Many other companies have jumped at the idea, in the hope of turning potential attackers into collaborators, by incentivizing their efforts with cash rewards. Reading just from the HackerOne clients list, companies such as AirBNB, Amazon Web Services, Starbucks, Yelp, Uber, GitHub, Slack, Twitter, Dropbox, and many others offer various rewards to those that identify at-risk systems.
Nintendo is focusing potential hackers on the prevention of piracy, cheating, and the dissemination of inappropriate content to children. Under the Piracy heading, Nintendo also lists “copied game application execution,” which does put the unlicensed homebrew 3DS games community squarely in the crosshairs. The company has a history of this, with various exploits and hacks being patched out in firmware updates, and lawsuits launched at game copying devices such as the R4 card.
Rewards will be paid to the first reporter of a qualifying vulnerability, with the bounty amount being at Nintendo’s discretion. “The reward amount depends on the importance of the information and the quality of the report,” reads Nintendo’s HackerOne policy. “In general, the importance of the information is higher if the vulnerability is severe, easy-to-exploit, etc.”
It should be obvious, but any submitted vulnerability information, whether it is deemed worthy of a reward or not, will become the sole property of Nintendo. Even hackers need to read the fine print.