Last year, Nintendo debutted its HackerOne program that involved giving a bounty of range of $100 - $20,000 to hackers that disclose their system exploits and vulnerabilities for the 3DS. Everyone thought it wouldn't work out for Nintendo, but just around last month the program was extended to include the Nintendo Switch too.

Just recently as you can see in the picture, three people were rewarded so far, however the amounts paid will not be made public. It seems as if a few hackers wouldn't mind giving out their newfound exploits for some easy cash, hopefully for the sake of the Switch hacking scene, it isn't the same with our own resident hackers.

A few examples of what information Nintendo is interested in receiving:

• System vulnerabilities regarding Nintendo Switch
  • Privilege escalation from userland
  • Kernel takeover
  • ARM® TrustZone® takeover
• Vulnerabilities regarding Nintendo-published applications for Nintendo Switch
  • Userland takeover
• System vulnerabilities regarding the Nintendo 3DS family of systems
  • Privilege escalation on ARM® ARM11™ userland
  • ARM11 kernel takeover
  • ARM® ARM9™ userland takeover
  • ARM9 kernel takeover

Source

 

[:-infern:]

Lmao ew those people..

I can't say I'm surprised, but hey, money speaks louder than actions, bribery always works

I hate snitch, they make me sick.

As a security researcher I laugh at these kind of posts. You kids write as if you're entitled to some hack? Hilarious. The freshest manure I've ever seen if any...

They find the exploit, they can do whatever they want. They can release it, bounty it, sell it to the highest bidder etc. Granted $20k is pretty low considering a lot more can be made of the black market, but it's good to see Nintendo is actively trying with their program.

However though what I don't like is the fact it's undisclosed, thus for other people researching, it makes it difficult for them to know if they're not looking into an empty pot of gold. Granted I'd say they should disclose them once a few versions have been released but eh.

Yes, we will see familiar names on the wall. That is certain. Then we'll see all the kiddies crying on the forums calling them sellouts etc.

People also need to stop crying about wanting to back up saves. I'm certain that feature will arrive soon with some sort of Nintendo program where it gets saved to the cloud.

 

[0100100001001001]

As a security researcher I laugh at these kind of posts. You kids write as if you're entitled to some hack? Hilarious. The freshest manure I've ever seen if any...

They find the exploit, they can do whatever they want. They can release it, bounty it, sell it to the highest bidder etc. Granted $20k is pretty low considering a lot more can be made of the black market, but it's good to see Nintendo is actively trying with their program.

However though what I don't like is the fact it's undisclosed, thus for other people researching, it makes it difficult for them to know if they're not looking into an empty pot of gold. Granted I'd say they should disclose them once a few versions have been released but eh.

Yes, we will see familiar names on the wall. That is certain. Then we'll see all the kiddies crying on the forums calling them sellouts etc.

People also need to stop crying about wanting to back up saves. I'm certain that feature will arrive soon with some sort of Nintendo program where it gets saved to the cloud.

I support anyone who sells their exploit to Nintendo, it is the ethical thing to do with it anyways. In reality I probably would do the same thing, but.... Trolling is so fun sometimes, so they are sellouts! * In reality I support them, and am glad at the choice they made * SELLOUTS!

Probably a lot of people just like me in here too, dang worthless Trolls!

 

[FAST6191]

It is an ethical thing to do with an exploit, I am not sure I could get to saying it is the ethical thing to do however.

 

[0100100001001001]

It is an ethical thing to do with an exploit, I am not sure I could get to saying it is the ethical thing to do however.

The OS, Kernal, whatever you want to call it is Nintendos intellectual property, it belongs to Nintendo and when you buy a switch, you are buying your right to use it. If you were to find a flaw in its security, the ethical thing to do is to share that flaw with the owner.

 

[FAST6191]

If you want to think that way then feel free, however everybody from the courts on down see scope for fiddling with devices you own ( https://library.osu.edu/blogs/copyright/2015/12/30/new-dmca-exemptions/ covers an aspect of it).
To that end I am back with it is an ethical thing to do, far from the only one though.

 

[Risingdawn]

This could easily backfire on Nintendo, what happens if somebody goes to Nintendo with an exploit Nintendo already knows about and don't get a penny for something they have been working on for a couple if months, they will release it somewhere.

As long as you don't update for "stability" exploits are still going to make their way into the public domain. It just requires some patience, the hacking community is used to not updating.

This thread is just cancerous from both sides, full of entitled whiners and judgemental preachers. Just get a life and appreciate if you get something or be happy with your fully featured legit consoles instead of bitching at each other jeez.

 

[:-infern:]

The OS, Kernal, whatever you want to call it is Nintendos intellectual property, it belongs to Nintendo and when you buy a switch, you are buying your right to use it. If you were to find a flaw in its security, the ethical thing to do is to share that flaw with the owner.

If you want to think that way then feel free, however everybody from the courts on down see scope for fiddling with devices you own ( https://library.osu.edu/blogs/copyright/2015/12/30/new-dmca-exemptions/ covers an aspect of it).
To that end I am back with it is an ethical thing to do, far from the only one though.

In this case I am having to agree with Fast.

Indeed when you purchase a device, you buy the right to use it and the property. It is ethical to report such vulnerabilities. However, as said and done with the courts. You are free to do with the device as you please. It is your device, you haven't bought a license, you have bought a physical device which is not in Nintendos control. Just because it is a video games/entertainment device doesn't make the laws any different. Its the same when purchasing a car, you have a right to modify it, but in doing so voids any previous warranty and holds you responsible. A vehicle you buy can still get you from A to B, or perhaps you modify it to make it completely different. It is still your item.

Of course this is different when you license or subscribe to a service. Say like Netflix, as a subscriber you are paying for the delivery of goods and for newer goods. But this does not give you the right to pirate, modify or sell off their content.

Anyhow this thread is now going out to another conversation and I believe it should be closed. It seems it was open to merely complain and not necessarily inform about whats was sent in the bounty.

 

[Most-Wanted]

"Find those white hat hackers and kill them" I'm sure someone will pay someone else in bitcoin ahahah .. Freedom!!!

 

[FAST6191]

Its the same when purchasing a car, you have a right to modify it, but in doing so voids any previous warranty and holds you responsible.

Depends where you are. There are various rulings in various countries that say if the modification did not cause the problem then the warranty still applies, or I can stick nitrous on my car and with it the whole engine, drive, brakes... is out of warranty, however if the passenger seatbelt malfunctions or the radio goes or a door lock or something then it is all good. http://lehtoslaw.com/will-modifications-void-new-car-warranty/
It can go a bit further as well and there are equivalence rulings as well -- my local garage is held to be expert enough to do a service and I don't have to go back to the dealer. http://www.approvedgarages.co.uk/news/what-can-void-your-car-warranty/

Now I have never seen anybody argue this for a console, but then again it is probably cheaper to get a new one rather than stand in front of a judge and argue your bit.

 

[Risingdawn]

Also if you ask me this isn't some sort of new "war on hacks". This is a money saving exercise on Nintendo part. Instead of paying a salary to a bunch of professional coders to look for exploits you downsize that department and offer a reduced rate one time payment for exploits that could have taken months to find.

It's about saving money, that's all. It's about not paying wages, taxes, pension contributions, holiday pay, maternity pay, contracts and having no employer responsibilities.

You could well see the initiative drop if it's not cost effective vs results and you could well see no actual difference in end results. This is not a new thing, it's just Nintendo trying to get results without paying people a wage to do it.

If you ask me it's wrong because how many people have spent years coding, getting degrees and qualifications, building a c.v, gaining references etc just to have their living scalped by some bedroom hacker whom could have found an exploit God knows where and made a quick buck.

I've worked with coders who build firewalls for small business' servers and intranets etc and these guys are on some serious contracted money and so they should be, it takes years and years to learn and costs alot in educational fees. I can't see any of them taking the time in their lives looking for console exploits unless it's going to pay their mortgage and bills which this initiative does not do.

You don't do 3 months work for a paycheck you have no idea of what value or if it will pay at all anyway.

 

[the_randomizer]

As a security researcher I laugh at these kind of posts. You kids write as if you're entitled to some hack? Hilarious. The freshest manure I've ever seen if any...

They find the exploit, they can do whatever they want. They can release it, bounty it, sell it to the highest bidder etc. Granted $20k is pretty low considering a lot more can be made of the black market, but it's good to see Nintendo is actively trying with their program.

However though what I don't like is the fact it's undisclosed, thus for other people researching, it makes it difficult for them to know if they're not looking into an empty pot of gold. Granted I'd say they should disclose them once a few versions have been released but eh.

Yes, we will see familiar names on the wall. That is certain. Then we'll see all the kiddies crying on the forums calling them sellouts etc.

People also need to stop crying about wanting to back up saves. I'm certain that feature will arrive soon with some sort of Nintendo program where it gets saved to the cloud.

Why did you quote me? I never said any such thing or even so much as complained against what these people have done. SMDH I'm just laughing at all the butthurt from people who feel "betrayed".

 

[Kubas_inko]

I don't know if it was said, but if you stay on 2.0 (and all modders) it doesn't matter, that they give it to nintendo.

 

[Toni456]

This could easily backfire on Nintendo, what happens if somebody goes to Nintendo with an exploit Nintendo already knows about and don't get a penny for something they have been working on for a couple if months, they will release it somewhere.

As long as you don't update for "stability" exploits are still going to make their way into the public domain. It just requires some patience, the hacking community is used to not updating.

This thread is just cancerous from both sides, full of entitled whiners and judgemental preachers. Just get a life and appreciate if you get something or be happy with your fully featured legit consoles instead of bitching at each other jeez.

Actually this can't backfire on nintendo, i'm pretty sure that once you report a bug for the bug bounty program you give up ownership of the found exploit whether they accept it or not, so if it's found that you released it to the public there might be some legal matters at hand.

 

[Randall Stevens]

People also need to stop crying about wanting to back up saves. I'm certain that feature will arrive soon with some sort of Nintendo program where it gets saved to the cloud.

Tell that to the people that put in 100+ hours into BotW and lose it.

Very smug and elitist statement. Cloud saves (or any "secure" version) should have been available 3-1.

 

[Risingdawn]

Actually this can't backfire on nintendo, i'm pretty sure that once you report a bug for the bug bounty program you give up ownership of the found exploit whether they accept it or not, so if it's found that you released it to the public there might be some legal matters at hand.

What if a team is working on a bug and one person then sells out, rest of the team is under no such obligation.

What if you go to a public access point somewhere create some fake account and release, good luck proving anything.

There's so many ways bugs could still be released, and you think Nintendo would bother with all the legal hassle, I don't. It would take more time and money than it would be worth and by that point fw has already updated.

Besides Nintendo could sue the shit out of a stone, they still wouldn't get any money.

 

[DudFunk]

This thread should have an addendum added to its title, "This doesn't affect you"

Homebrew will come, be patient and have faith.

1. We don't know what they reported for all we do know these could have been some nasty vulnerabilities that would lead to equally nasty things happening to your system and maybe even other devices on your home network.

2. We don't know that what they reported will have any affect on possible future exploits which will lead to Homebrew

3. People deserve to be paid for there time and for there efforts, as has been said this is nice to add to a CV for future employment.

4. These people don't owe the public anything, also they could in fact be doing us a major service AND getting paid for it (refer to point 1)

Homebrew will come, be patient and have faith.

 

[FAST6191]

This thread should have an addendum added to its title, "This doesn't affect you"
...
1. We don't know what they reported for all we do know these could have been some nasty vulnerabilities that would lead to equally nasty things happening to your system and maybe even other devices on your home network.
...

Given the systems are fully locked down if there was anything seriously negative then it would almost certainly have had to come from a basis of extensive hacks, said hacks in turn likely being useful (you might overwrite my NAND but if it means you had kernel level execution in the first place to trigger that...). If it turns out that it was vulnerable to a more modern version of the ping of death or something like it then so it goes, that said if Nintendo's network coding types had taken the crack habit back up and we got a return of something like the plaintext broadcasting we saw in 3ds pokemon then eh.

At times I am sort of surprised that I have never seen a truly weaponised console hack (I have seen them for printers, routers and possibly even TVs after all) but hey.

 

[TVL]

LOL, hadn't seen this before. First feeling I got was those people are nothing but cheap whores... on second thought though, that's not really fair to anyone who has to prostitute themselves, they're way better than those three people.

 

[Deleted User]

LOL, hadn't seen this before. First feeling I got was those people are nothing but cheap whores... on second thought though, that's not really fair to anyone who has to prostitute themselves, they're way better than those three people.

This is perhaps the worst attitude to have.

As @FAST6191 said, there is a possibility that these weren't meant for homebrew entries, but rather weapon hacks. Such as viruses or other things. I can tell you that I would much rather see people sell their exploits. $500 is more than they will ever make developing for an ungrateful, demanding community. Smea & Crew are gracious enough to develop any exploits.

Your kind is the reason I hate the hacking community.

 

[linuxares]

LOL, hadn't seen this before. First feeling I got was those people are nothing but cheap whores... on second thought though, that's not really fair to anyone who has to prostitute themselves, they're way better than those three people.

And this is a prime example why GBATemp is laught at by the console hacking community.