While the humble Nintendo 3DS might not be around for too much longer with the impending arrival of the Nintendo Switch, it should not come as a surprise that the Big N are still interested to learn of any vulnerabilities on their 3DS family of systems that might still be exploited.
Nintendo recently posted on HackerOne (a vulnerability coordination and bug bounty platform) offering a bounty ranging from $100 USD to $20,000 USD for anyone who can discover vulnerabilities in the 3DS hardware as follows:
Nintendo will pay rewards to the first reporter of qualifying vulnerability information ranging from $100 USD to $20,000 USD. Only one reward per qualifying piece of vulnerability information will be awarded. Nintendo will determine at its discretion whether the vulnerability information qualifies for a reward as well as the amount of any such reward. Nintendo does not disclose how the reward amount is calculated. Vulnerability information that is already known to Nintendo or the public, for example, does not qualify for a reward. Rewards will not be issued to individuals who are on sanction lists, or who are in countries on sanction lists.
The reward amount depends on the importance of the information and the quality of the report. In general, the importance of the information is higher if the vulnerability is severe, easy-to-exploit, etc.
A report is evaluated to be high quality if you show that the vulnerability is exploitable by providing a proof of concept (functional exploit code is even better). If you don't yet have a proof of concept, or functional exploit code, we still encourage you to report to us sooner rather than later such that you do not to lose the opportunity to become the first reporter; you can then submit a proof of concept or functional exploit code later (within three (3) weeks of the initial report) and it will be considered to be a part of the report.
The reward will be paid after the reported vulnerability has been fixed by Nintendo, but no later than four (4) months after Nintendo has confirmed the reported vulnerability.
Nintendo will not disclose to the public the amount of any reward distributed by Nintendo.
It's great to see Nintendo engaging with the friendly hacking community in such a way so that they can keep their hardware safe from those who would seek to exploit them. Let us know if you have the hacking skills to claim the grand prize with a comment below.