Humans have been tinkering with complex systems since the dawn of civilization, with hacking being the latest iteration of the human desire to poke around in something that looks cool. With the transformation of modern consoles from stand-alone systems to connected hubs, gaming has become just as vulnerable to viruses and other lurking dangers of Internet life as the average user. A particularly chilling example example was the PlayStation Network hack in 2011, which exposed the personal information of 77 million gamers.

Nintendo has been a less obvious hacking target for years, but the company has become more active in defending its electronic domains. Back in December 2016, they partnered with HackerOne in order to find security flaws and vulnerabilities in their popular 3DS console. The day before launch, they extended the program to include the Switch, a decision that proved prophetic, as a hacker quickly exploited a known vulnerability in the webkit.

According to Perfectly-Nintendo, the company also added language where it “reserves the right to choose whether or not it will address any reported vulnerabilities.” Even so, HackerOne today documented that three users (handles: endergamer549, zacharias, loituma) were rewarded with a bounty. The bounties range from $100 to $20,000, with one reward per qualifying vulnerability. Neither the sums rewarded nor the systems the exploits were found on were revealed.

Below are examples of vulnerabilities that Nintendo is interested in:

  • System vulnerabilities regarding Nintendo Switch
    • Privilege escalation from userland
    • Kernel takeover
    • ARM® TrustZone® takeover
  • Vulnerabilities regarding Nintendo-published applications for Nintendo Switch
    • Userland takeover
  • System vulnerabilities regarding the Nintendo 3DS family of systems
    • Privilege escalation on ARM® ARM11™ userland
    • ARM11 kernel takeover
    • ARM® ARM9™ userland takeover
    • ARM9 kernel takeover
  • Vulnerabilities regarding Nintendo-published applications for the Nintendo 3DS family of systems
    • ARM11 userland takeover that doesn’t require other hacks or tools (“secondary” exploits would be those that require other hacks or tools to be effective; those would be out of scope for this program)
    • Hardware vulnerabilities regarding either the Nintendo Switch system or the Nintendo 3DS™ family of systems
  • Low-cost cloning
  • Security key detection via information leaks

While Nintendo is collecting vulnerabilities afflicting the Switch system and the 3DS family, it’s currently not collecting information regarding other Nintendo platforms, network service, or server-related information. This includes the Wii U, which last had a firmware update in January 2016.