[BreachExchange] Nintendo offers hackers up to $20, 000 to find Switch and 3DS security flaws

[Inga Goddijn]

http://www.ibtimes.co.uk/nintendo-offers-hackers-20000-find-switch-3ds-security-flaws-1616910

Nintendo is calling on white-hat hackers and security researchers up to
$20,000 (£15,962) to find any security flaws in its recently released
hybrid portable console - the Nintendo Switch. Bug bounty hunters could
earn rewards ranging from $100 to $20,000 for reported Switch security
exploits, depending on its severity, exploitability and quality of the
report.

According to a post by Nintendo on HackerOne
<https://hackerone.com/nintendo?view_policy=true>, a Silicon Valley-based
bug bounty platform, the Japanese gaming giant is offering rewards for new
information related to piracy, cheating and dissemination of inappropriate
content to children.

Bug bounty hunters are also encouraged to find and report any system
vulnerabilities that could compromise the device
<http://www.ibtimes.co.uk/nintendo-switch-emulator-download-links-spread-online-heres-why-you-shouldnt-trust-them-1614487>including
system vulnerabilities in certain areas such as "privilege escalation from
userland, kernel takeover, ARM TrustZone takeover and userland takeover for
Nintendo-published applications".

Nintendo is also looking for successfully discovered flaws in its 3DS
family of consoles
<http://www.ibtimes.co.uk/nintendo-offers-hackers-20000-find-3ds-security-vulnerabilities-1595090>
regarding privilege escalation on ARM ARM11 userland, ARM11 kernel
takeover, ARM ARM9 userland takeover and ARM9 kernel takeover.

Users can also report other 3DS vulnerabilities such as ARM11 userland
takeover that does not require other hacks and tools as well as any
hardware vulnerabilities related to the Switch or 3DS systems.

The first reporter of a valid vulnerability will be rewarded, Nintendo said.

"Nintendo will determine at its discretion whether the vulnerability
information qualifies for a reward as well as the amount of any such
reward," the company said, noting that it will not disclose how the amount
is calculated. "Rewards will not be issued to individuals who are on
sanction lists, or who are in countries on sanction lists."

Successful bug bounty hunters will be rewarded after the reported flaw is
patched by Nintendo no later than four months after Nintendo confirms the
vulnerability. However, the company notes that it is solely interested in
security flaws related to the Switch and 3DS family and is "not seeking
vulnerability information regarding other Nintendo platforms, network
service, or server-related information".

So far, three people have successfully reported vulnerabilities and have
received undisclosed bounties for doing so.

>From Microsoft and Facebook to Uber
<http://www.ibtimes.co.uk/uber-beef-security-by-offering-10000-hackers-who-uncover-bugs-its-system-1551151>,
Chrysler and the US Army
<http://www.ibtimes.co.uk/us-army-announces-hack-army-bug-bounty-programme-inviting-hackers-expose-security-flaws-1591188>,
many companies and agencies have adopted bug bounty programmes as an
effective way to find and squash unwanted and potentially severe security
flaws within the systems before they are exploited by malicious hackers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170413/549e1322/attachment.html>