Nintendo’s handheld game systems have long had an issue with piracy and hacking, and now the company is finally going to do something about it. In partnership with bug-busting platform HackerOne, Nintendo is launching an extremely thorough bug bounty program to find and fix as many vulnerabilities as it possibly can.
The program, which is accepting bugs on the Nintendo 3DS console exclusively, offers a minimum bounty of $100 for verified bugs, and a maximum bounty of $20,000. According to the official bounty posting, Nintendo is seeking out vulnerabilities related to the following:
- Piracy, including:
- Game application dumping
- Copied game application execution
- Cheating, including:
- Game application modification
- Save data modification
- Dissemination of inappropriate content to children
- System vulnerabilities regarding the Nintendo 3DS™ family of systems
- Privilege escalation on ARM11 userland
- ARM11 kernel takeover
- ARM9 userland takeover
- ARM9 kernel takeover
- Vulnerabilities regarding Nintendo-published applications for the Nintendo 3DS™ family of systems
- ARM11 userland takeover
- Hardware vulnerabilities regarding the Nintendo 3DS™ family of systems
- Low-cost cloning
- Security key detection via information leaks
That’s a pretty exhaustive list, and suggests that Nintendo knows that its mobile platform is littered with vulnerabilities.
Perhaps the most well-known exploit on the 3DS, the “Revolution” cartridge — more commonly known as “R4” — allows game ROMs to be downloaded from the web and then played on the system via the SD card slot. Nintendo has repeatedly sought to ban the sale of the cartridge from as many online retailers as possible, but it’s still possible to find them with little effort.
The Nintendo Wii was also a notoriously exploitable console, and several methods were devised to install homebrew applications and ROM launchers, allowing players to fill external hard drives with illegally downloaded games and then play them, disc-free, on the system.