Nintendo announced on Monday the launch of a new bug bounty program for its 3DS handheld gaming systems. The company is prepared to offer between $100 and $20,000 for vulnerabilities found in the product.
The bug bounty program, hosted on HackerOne, is only for 3DS consoles – the company says it’s currently not interested in vulnerabilities affecting other platforms or services.
Nintendo is willing to pay for system flaws, such as privilege escalation or takeover issues affecting ARM11 and ARM9 processors. The company also encourages researchers to report vulnerabilities found in Nintendo applications, and hardware weaknesses that can be leveraged to obtain security keys or clone systems at a low cost.
Through its bug bounty program, Nintendo aims to prevent piracy, cheating and dissemination of inappropriate content to children.
“A report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better),” Nintendo said. “If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three weeks of the initial report) and it will be considered to be a part of the report.”
The company has promised to pay researchers within four months after the vulnerability has been confirmed, but not before the security hole has been patched. Bounty amounts will not be disclosed.
Issues that are already known are not eligible for a reward and Nintendo prohibits researchers from disclosing vulnerability information, even after a patch becomes available. The company has argued that devices running older versions of the system may remain vulnerable even after a fix is released.
There are several major organizations running bug bounty programs on HackerOne, including Kaspersky, Panasonic Avionics, Qualcomm, Uber, Yelp and the U.S. Army.
Related Reading: ‘League of Legends’ Creators Unveil Details of Bug Bounty Program