Nintendo offers hackers up to $20,000 to find Switch and 3DS security flaws

Nintendo is calling on white-hat hackers and security researchers up to $20,000 (£15,962) to find any security flaws in its recently released hybrid portable console - the Nintendo Switch. Bug bounty hunters could earn rewards ranging from $100 to $20,000 for reported Switch security exploits, depending on its severity, exploitability and quality of the report.

According to a post by Nintendo on HackerOne, a Silicon Valley-based bug bounty platform, the Japanese gaming giant is offering rewards for new information related to piracy, cheating and dissemination of inappropriate content to children.

Bug bounty hunters are also encouraged to find and report any system vulnerabilities that could compromise the device including system vulnerabilities in certain areas such as "privilege escalation from userland, kernel takeover, ARM TrustZone takeover and userland takeover for Nintendo-published applications".

Nintendo is also looking for successfully discovered flaws in its 3DS family of consoles regarding privilege escalation on ARM ARM11 userland, ARM11 kernel takeover, ARM ARM9 userland takeover and ARM9 kernel takeover.

Users can also report other 3DS vulnerabilities such as ARM11 userland takeover that does not require other hacks and tools as well as any hardware vulnerabilities related to the Switch or 3DS systems.

The first reporter of a valid vulnerability will be rewarded, Nintendo said.

"Nintendo will determine at its discretion whether the vulnerability information qualifies for a reward as well as the amount of any such reward," the company said, noting that it will not disclose how the amount is calculated. "Rewards will not be issued to individuals who are on sanction lists, or who are in countries on sanction lists."

Successful bug bounty hunters will be rewarded after the reported flaw is patched by Nintendo no later than four months after Nintendo confirms the vulnerability. However, the company notes that it is solely interested in security flaws related to the Switch and 3DS family and is "not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information".

So far, three people have successfully reported vulnerabilities and have received undisclosed bounties for doing so.

From Microsoft and Facebook to Uber, Chrysler and the US Army, many companies and agencies have adopted bug bounty programmes as an effective way to find and squash unwanted and potentially severe security flaws within the systems before they are exploited by malicious hackers.