The Nintendo company has created their own bug bounty program using the popular HackerOne platform to work with the security community in discovering vulnerabilities.
Nintendo Has Joined The Rest With Its Bug Bounty Program
Nintendo has joined other big companies on the bug bounty program network hosted by HackerOne. It is becoming a requirement for an increasingly large number of the large businesses to operate such an initiative to better protect their products and data of their customers.
The company has described their new plan by illustrating that their goal is ” to provide a secure environment for our customers so that they can enjoy our games and services” . The vulnerabilities can exploit either the product systems themselves, the bundled software or the hardware components. Some of them can incur financial damages related to piracy (dumping and copying games and applications) or modifying them for cheating purposes. The company will reward legitimate reports with proof-of-concept code or demonstrations with up to 20 000 US dollars of rewards. Unfortunately the company has not revealed the way the rewards are calculated.
The payments are going to be made to the parties after an official patch has been released and no later than four (4) months after Nintendo has confirmed the flaw.
The bug bounty covers the folloowing Nintendo products and areas of interest:
- The Nintendo 3DS systems and bugs related to privilege escalations on the ARM11 userland, ARM11 kernel takeovers, ARM9 userland takeovers and ARM9 kernel takeovers
- Vulnerabilities related to Nintendo-published applications and games for the Nintendo 3DS family of systems
- Hardware vulnerabilities on the Nintendo 3DS systems including Low-cost cloning and security key detection via information leaks
There is also a report template that must be filled with details about the vulnerability:
- State the name of the applicable platform (e.g., Nintendo 3DS™, New Nintendo 3DS™, or both)
- State the region of the platform you used (e.g., JP, US, or EU)
- State the system version number(s) that the vulnerability applies to
- Describe all of the steps required to reproduce the issue
- Describe the details of what the vulnerability is and, if possible, potential ways to fix the vulnerability
- Describe, if applicable, how individuals might be able to utilize the vulnerability information to impair the applicable system(s) and/or game(s) by showing a proof of concept or functional exploit code. You are allowed to submit a proof of concept or functional exploit code later (within three (3) weeks), after the initial submission of the report.
- Confirm that the vulnerability is not widely known to the public.
For more information you can visit the official bug bounty site at HackerOne.