It's always nice getting paid to do something you love. That's why Nintendo is offering all Nintendo Switch owners a chance to find vulnerabilities before another hacker beats them to it first. Depending on the vulnerability you find, Nintendo is willing to shell out rewards starting at $100, all the way to $20,000, to the first bug reporter who uncovers it.
Companies asking hackers to find bugs is nothing new. Google, Facebook, and Twitter have all been known to shell out bounties for security vulnerabilities. Nintendo has been offering bug bounties for their 3DS family of systems since December 2016, and adding the Switch to that list just means another chance to make some extra cash.
On the HackerOne platform, Nintendo has outlined a few recommendations for any of you interested, which they added on March 3, 2017, when the Switch was first released. The company is focusing on preventing issues in piracy, cheating, and dissemination of inappropriate content to children, as well as patching up software and hardware vulnerabilities with the Nintendo Switch, the Nintendo 3DS family of systems, and Nintendo-published applications for the 3DS.
Nintendo is also interested in finding issues in low-cost cloning and security key detection via information leaks.
Your vulnerability will only be considered high quality if it is exploitable and you are able to provide a proof of concept—or better yet, a functional exploit code. If you can't provide either, you should report your find anyway to ensure you are the first one to do so. You'll have three weeks from your initial reporting to submit a proof of concept.
Nintendo will pay out winners only after fixing the vulnerability and no later than four months after your report has been confirmed. Your reward amount will depend upon the significance of the bug and how easy it is to exploit.
Currently, three hackers—Goodbyeworld, Loituma, and Zacharias—have found vulnerabilities for Nintendo, which the company has resolved within the last day. The amount each reporter received is unknown.
According to HackerOne, where Nintendo has published its guidelines, your report should contain the following:
- State the name of the applicable platform (e.g., Nintendo Switch, Nintendo 3DS, or New Nintendo 3DS).
- State the region you used (e.g., JP, US, or EU) if the platform is Nintendo 3DS or New Nintendo 3DS.
- State the system version number(s) that the vulnerability applies to.
- Describe all of the steps required to reproduce the issue.
- Describe the details of what the vulnerability is and, if possible, potential ways to fix the vulnerability.
- Describe, if applicable, how individuals might be able to utilize the vulnerability information to impair the applicable system(s) and/or game(s) by showing a proof of concept or functional exploit code. You are allowed to submit a proof of concept or functional exploit code later (within three (3) weeks), after the initial submission of the report.
- Confirm that the vulnerability is not widely known to the public.
You can submit your report for Nintendo at HackerOne. May the best hacker win (at the best game the Switch has to offer). If you don't have a Nintendo Switch right now, you can get one on Amazon, though, shortages of the video game console have pushed up prices slightly.