By Jonathan Falu / December 6th, 2016
Nintendo has had enough of exploits for hackers to exploit on the 3DS and is now offering bounties. They have issued a request on hackerone.com, wishing to prevent things such as piracy and cheating, along with “dissemination of inappropriate content to children.” There will be rewards in the form of United States currency of $100 to $20,000 “per qualifying piece of vulnerability information.” However, Nintendo has not mentioned how the reward would be calculated. There are some rules however, like if it’s not well-known, along with the following:
Below are examples of vulnerabilities that Nintendo is interested in receiving information about:
- System vulnerabilities regarding the Nintendo 3DS™ family of systems
- Privilege escalation on ARM11 userland
- ARM11 kernel takeover
- ARM9 userland takeover
- ARM9 kernel takeover
- Vulnerabilities regarding Nintendo-published applications for the Nintendo 3DS™ family of systems
- ARM11 userland takeover
- Hardware vulnerabilities regarding the Nintendo 3DS™ family of systems
- Low-cost cloning
- Security key detection via information leaks
Nintendo reserves the right to choose whether or not it will address any reported vulnerabilities.
Please include the details requested in below when submitting vulnerability information to Nintendo. All such reports should be submitted in English.
- State the name of the applicable platform (e.g., Nintendo 3DS™, New Nintendo 3DS™, or both
- State the region of the platform you used (e.g., JP, US, or EU)
- State the system version number(s) that the vulnerability applies to
- Describe all of the steps required to reproduce the issue
- Describe the details of what the vulnerability is and, if possible, potential ways to fix the vulnerability
- Describe, if applicable, how individuals might be able to utilize the vulnerability information to impair the applicable system(s) and/or game(s) by showing a proof of concept or functional exploit code. You are allowed to submit a proof of concept or functional exploit code later (within three (3) weeks), after the initial submission of the report.
- Confirm that the vulnerability is not widely known to the public.
What do you think about Nintendo’s decision to try and find more of the 3DS’ exploits to fix? Do you think these problems can truly be fixed? Will you participate to gain some extra cash? Be sure to let us know what you think about all of this in the comments below!