Nintendo announced on Monday the launch of a new bug bounty program for its 3DS handheld gaming systems. The company is prepared to offer between $100 and $20,000 for vulnerabilities found in the product.
The bug bounty program, hosted on HackerOne, is only for 3DS consoles – the company says it’s currently not interested in vulnerabilities affecting other platforms or services.
Nintendo is willing to pay for system flaws, such as privilege escalation or takeover issues affecting ARM11 and ARM9 processors. The company also encourages researchers to report vulnerabilities found in Nintendo applications, and hardware weaknesses that can be leveraged to obtain security keys or clone systems at a low cost.
Through its bug bounty program, Nintendo aims to prevent piracy, cheating and dissemination of inappropriate content to children.
“A report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better),” Nintendo said. “If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three weeks of the initial report) and it will be considered to be a part of the report.”
The company has promised to pay researchers within four months after the vulnerability has been confirmed, but not before the security hole has been patched. Bounty amounts will not be disclosed.
Issues that are already known are not eligible for a reward and Nintendo prohibits researchers from disclosing vulnerability information, even after a patch becomes available. The company has argued that devices running older versions of the system may remain vulnerable even after a fix is released.
There are several major organizations running bug bounty programs on HackerOne, including Kaspersky, Panasonic Avionics, Qualcomm, Uber, Yelp and the U.S. Army.
Related Reading: ‘League of Legends’ Creators Unveil Details of Bug Bounty Program
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
Latest News
- Dozens of Malicious Extensions Found in Chrome Web Store
- What if the Current AI Hype Is a Dead End?
- Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security
- Zyxel Urges Customers to Patch Firewalls Against Exploited Vulnerabilities
- Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards
- SBOMs – Software Supply Chain Security’s Future or Fantasy?
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
