Connect with us

Hi, what are you looking for?



Nintendo Offers $20,000 for Vulnerabilities in 3DS Consoles

Nintendo announced on Monday the launch of a new bug bounty program for its 3DS handheld gaming systems. The company is prepared to offer between $100 and $20,000 for vulnerabilities found in the product.

Nintendo announced on Monday the launch of a new bug bounty program for its 3DS handheld gaming systems. The company is prepared to offer between $100 and $20,000 for vulnerabilities found in the product.

The bug bounty program, hosted on HackerOne, is only for 3DS consoles – the company says it’s currently not interested in vulnerabilities affecting other platforms or services.

Nintendo is willing to pay for system flaws, such as privilege escalation or takeover issues affecting ARM11 and ARM9 processors. The company also encourages researchers to report vulnerabilities found in Nintendo applications, and hardware weaknesses that can be leveraged to obtain security keys or clone systems at a low cost.

Through its bug bounty program, Nintendo aims to prevent piracy, cheating and dissemination of inappropriate content to children.

“A report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better),” Nintendo said. “If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three weeks of the initial report) and it will be considered to be a part of the report.”

The company has promised to pay researchers within four months after the vulnerability has been confirmed, but not before the security hole has been patched. Bounty amounts will not be disclosed.

Issues that are already known are not eligible for a reward and Nintendo prohibits researchers from disclosing vulnerability information, even after a patch becomes available. The company has argued that devices running older versions of the system may remain vulnerable even after a fix is released.

Advertisement. Scroll to continue reading.

There are several major organizations running bug bounty programs on HackerOne, including Kaspersky, Panasonic Avionics, Qualcomm, Uber, Yelp and the U.S. Army.

Related Reading: ‘League of Legends’ Creators Unveil Details of Bug Bounty Program

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.