The Nintendo Switch, the just-released replacement for the Wii gaming console, dares you to hack it.
The console is already a pawn in cyber-arsenals; and now, Nintendo has ponied up a $20,000 bug bounty via HackerOne for anyone able to actually crack the machine, uncovering hardware security vulnerabilities.
“Nintendo’s goal is to provide a secure environment for our customers so that they can enjoy our games and services,” the Japanese giant said on the bounty page. “In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo’s platforms. Currently, in the context of the HackerOne program, Nintendo is only interested in vulnerability information regarding the Nintendo Switch system and the Nintendo 3DS family of systems and is not seeking vulnerability information regarding other Nintendo platforms, network service, or server-related information.”
Ostensibly, the idea is to prevent piracy. But the focus on security is also a bit of a blow to the “homebrew” community, which is devoted to essentially jailbreaking Nintendo devices in order to customize them with their own code, or to run games they’ve developed themselves. There are a few reasons Nintendo opposes homebrew efforts though: One, opening up the box to rogue and unmanaged applications is a potential security risk, allowing for a third-party unmanaged vector for malware. Two, while those in the homebrew community adamantly deny using the hack to run pirated games, the fact of the matter remains that the hack can indeed be exploited for such a purpose. And third, unauthorized apps simply take money out of the gaming behemoth’s pocket.
The minimum bounty payout is $100, with the $20,000 reward reserved for the most serious of flaws. The reward amount depends on the “importance” of the information (if the vulnerability is severe, easy-to-exploit, etc.) and the quality of the report. Nintendo is focused on preventing piracy and cheating foremost, but also system vulnerabilities like privilege escalation and kernel takeover.
“A report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better),” it said. “If you don’t yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three weeks of the initial report) and it will be considered to be a part of the report.”
If a white hat manages to snag the $20 grand it will be quite the coup—though the public will likely never know, as Nintendo said it has no plans to name winners’ amounts.