Nintendo is arriving late to the party but has finally decided to embrace the very active security research community by offering rewards in return for finding and reporting 3DS vulnerabilities.
Just like Qualcomm last month, Nintendo is teaming up with bug bounty platform Hackerone to coordinate the program. The goal of the program is to limit piracy, cheating, and the “dissemination of inappropriate content to children.”
With that in mind, Nintendo is offering rewards of between $100 and $20,000 in return for discovering vulnerabilities in the following areas:
System vulnerabilities:
- Privilege escalation on ARM11 userland
- ARM11 kernel takeover
- ARM9 userland takeover
- ARM9 kernel takeover
The Japanese company is also interested in vulnerabilities allowing access to the ARM11 userland through Nintendo-published applications, as well as hardware vulnerabilities that allow for “low-cost cloning” and “security key detection via information leaks.” If you’re wondering what the term “userland” means, it’s basically the area of the system where commercial games are allowed to run. Some vulnerabilities are already known about that allow non-commercial games (usually termed homebrew games) to run within that area of the system. Clearly Nintendo does not want that to happen.
Nintendo isn’t making public how the vulnerability reward calculation is done, so anyone submitting a vulnerability will just have to wait and see how much Nintendo thinks it is worth. Obviously, the more serious the vulnerability, the higher the payout, but a lot will depend on submission of a functioning exploit to back up the vulnerability claim.
