Nintendo is inviting white-hat hackers and security researchers to find and report critical security vulnerabilities in its 3DS family of consoles. The Japanese gaming giant will award researchers up to $20,000 (£15,681) for successfully discovered flaws.
The bug bounty programme will be run with Silicon Valley-based platform HackerOne and will focus entirely on its 3DS handhelds. The company emphasised it is not looking for “vulnerability information regarding other Nintendo platforms, network service, or server-related information.
“Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games and services,” the company’s campaign page on HackerOne reads.
“In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo’s platforms.”
Nintendo is focusing on preventing piracy, cheating and the dissemination of inappropriate content to children. It specifically listed “copied game application execution” under piracy and “game application modification” under cheating as areas for researchers to look into as well.
In the past, Nintendo has been notoriously protective of its properties and has cracked down on fan-made games, exploits, hacks and hit two distributors of R4 devices with a lawsuit.
Regarding hardware vulnerabilities, the company has asked researchers to look into low-cost cloning and security key detection through information leaks.
The first reporter of qualifying vulnerability information will be rewarded by Nintendo with the award amount to be decided by the company. The reward amount will range between $100 and $20,000 and will depend on the importance of the information and quality of the report.
“In general, the importance of the information is higher if the vulnerability is severe, easy-to-exploit, etc.,” the campaign page reads. “A report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better).”
The company also encourages researchers to report any newly discovered vulnerabilities sooner than later, even if you don’t have a proof of concept or functional exploit code yet. Researchers can submit them within three weeks of the initial report for consideration. The reward will only be paid after Nintendo has fixed the vulnerability, the company noted, adding that the information regarding the flaw cannot be disclosed to any third party.
Bug bounty programmes have been adopted as a popular and effective way for companies to find and address severe security flaws in their digital infrastructure and systems before they are exploited by malicious attackers.
While major technology companies such as Google, Microsoft, Facebook, Twitter and Yahoo have been running their own bug bounty programmes for a while now, other firms such as Chrysler, Yelp, Uber and Apple have recently launched their own initiatives. Even the Department of Defense and the US Army have offered bug bounty hunters from around the world the opportunity to find security flaws in their systems.