Nintendo Announces Vulnerability Reward Program for Nintendo 3DS - Polidicks

[url]https://hackerone.com/blog/Nintendo-3ds-Launches-bug-bounty-program-on-HackerOne[/url] [QUOTE]Nintendo is offering an incentive to the world’s finest researchers to find and report security vulnerabilities for the Nintendo 3DS family of handheld game systems. In coordination with HackerOne, Nintendo will pay up to U.S. $20,000 for the discovery of critical security vulnerabilities. Nintendo is dedicated to providing video game fans worldwide premium entertainment in a welcoming and secure environment. To that end, Nintendo invites highly skilled researchers to find and address vulnerabilities on the Nintendo 3DS handheld system that could jeopardize that environment. Nintendo is committed to creating a better game-play experience for all through those actions.[/QUOTE] details: [url]https://hackerone.com/nintendo[/url] The Homebrew community is gonna have a field day with this

So Nintendo will be paying their greatest bane? Sounds like some big guy like Smealum could come along and remove a lot of cash from Nintendo. It would be very painful.

[QUOTE=Mr_Awesome;51483173]So Nintendo will be paying their greatest bane? Sounds like some big guy like Smealum could come along and remove a lot of cash from Nintendo. It would be very painful.[/QUOTE] [media]https://twitter.com/smealum/status/805962199223005184[/media]

They're way too late for this though I'm not surprised they're late.

that is a really low payout when you consider this is nintendo, how much they're potentially losing from piracy and how much skill it requires to find these vulnerabilities.

[QUOTE=Dantz Bolrew;51483242]They're way too late for this though I'm not surprised they're late.[/QUOTE] Knowing Nintendo, they'd probably even be late to their own market crash if they somehow continue enough of a string of blunders big enough to devastate their huge swaths of bank.

so basically instead of having exploits be kept secret for homebrew, the exploits will be outed for nintendo to fix. instead of fighting the homebrew community, nintendo will have the homebrew community fight itself. this could lead to a lot of drama

[QUOTE=da space core;51483294]so basically instead of having exploits be kept secret for homebrew, the exploits will be outed for nintendo to fix. instead of fighting the homebrew community, nintendo will have the homebrew community fight itself. this could lead to a lot of drama[/QUOTE] Nintendo wins either way

[QUOTE=Mr_Awesome;51483173]So Nintendo will be paying their greatest bane? Sounds like some big guy like Smealum could come along and remove a lot of cash from Nintendo. It would be very painful.[/QUOTE] Well as long as you're not running homebrew it shouldn't be too painful for you

[QUOTE=Mr_Awesome;51483173]So Nintendo will be paying their greatest bane? Sounds like some big guy like Smealum could come along and remove a lot of cash from Nintendo. It would be very painful.[/QUOTE] [url=https://en.wikipedia.org/wiki/White_hat_(computer_security)]I mean, it's not like companies don't already do this.[/url]

[QUOTE=Mr_Awesome;51483173]So Nintendo will be paying their greatest bane? Sounds like some big guy like Smealum could come along and remove a lot of cash from Nintendo. It would be very painful.[/QUOTE] Companies don't typically offer people money for something that's not worth at least that much money to them.

They're too late to this, and it seems so pointless. Just let the homebrew community exist, Nintendo. You can't beat piracy and there's no other reason to do something like this.

[QUOTE=WillerinV1.02;51483481]They're too late to this, and it seems so pointless. Just let the homebrew community exist, Nintendo. You can't beat piracy and there's no other reason to do something like this.[/QUOTE] Well i wouldn't be shocked if a lot of what makes up the switch systemically will be adapted from the 3ds. Obviously not the same thing but it'd make sense they'd want to plug potential problems for their next console before it's even a concern.

[QUOTE=No Party Hats;51483530]Well i wouldn't be shocked if a lot of what makes up the switch systemically will be adapted from the 3ds. Obviously not the same thing but it'd make sense they'd want to plug potential problems for their next console before it's even a concern.[/QUOTE] That's a good point, I hadn't considered that. Still, I personally think it might be a bit of a waste of time. But if it [I]does[/I] cause drama and infighting in the homebrewing community, I suppose Nintendo could consider it mission accomplished.

That's probably one of their primary aims with this move. Shake everything up, sow distrust and paranoia, and ultimately devastate the hacking community much like Sony did to the hacking scene for their consoles (although apparently they had a much more direct role in that, like actually paying people to stir shit on wololo and elsewhere) They probably want to put the scene in complete disarray before the Switch comes out, it will make it harder to coordnate and start pulling the thing apart at launch to find vulnerabilities. Can't trust any outside help or disclose vulns now because you can never know now if one of those people will sell it out to make a quick buck. This is going to shit on gbatemp pretty hard, expect to see people quit over this.

The architecture of the 3DS and Switch are fairly dissimilar. I'd be surprised if the Switch firmware wasn't written mostly from scratch.

[QUOTE=Wii60;51483145] The Homebrew community is gonna have a field day with this[/QUOTE] Sadly. This same thing has happened to the jailbreaking community.

[QUOTE=Dr. Evilcop;51483618]The architecture of the 3DS and Switch are fairly dissimilar. I'd be surprised if the Switch firmware wasn't written mostly from scratch.[/QUOTE] Uh that's a really bold claim? I mean obviously it might not mean much but if they're using same style of cartridges as the 3ds, isn't the way to homebrew usually prying open a vulnerability within a game? Idk I just feel like you can't say they're totally dissimilar with literally no rationale

[QUOTE=No Party Hats;51485693]Uh that's a really bold claim? I mean obviously it might not mean much but if they're using same style of cartridges as the 3ds, isn't the way to homebrew usually prying open a vulnerability within a game? Idk I just feel like you can't say they're totally dissimilar with literally no rationale[/QUOTE] One of the first ways for homebrew was finding an vulnerability in a game. The most recent ones have been a vulnerability in the 3DS itself.

[QUOTE=Dr. Evilcop;51483618]The architecture of the 3DS and Switch are fairly dissimilar. I'd be surprised if the Switch firmware wasn't written mostly from scratch.[/QUOTE] I bet the Switch firmware is the same shit as everyone else, some BSD (probably FreeBSD) and then Nintendo's own userland on top. Nvidia actively releases their graphics drivers for FreeBSD, wouldn't be surprised if they dropped some binaries to Nintendo.

[QUOTE=No Party Hats;51485693]Uh that's a really bold claim? I mean obviously it might not mean much but if they're using same style of cartridges as the 3ds, isn't the way to homebrew usually prying open a vulnerability within a game? Idk I just feel like you can't say they're totally dissimilar with literally no rationale[/QUOTE] These days the initial entrypoint is often WebKit. [QUOTE=nikomo;51486778]I bet the Switch firmware is the same shit as everyone else, some BSD (probably FreeBSD) and then Nintendo's own userland on top. Nvidia actively releases their graphics drivers for FreeBSD, wouldn't be surprised if they dropped some binaries to Nintendo.[/QUOTE] Eh, I'd assume they collaborated on firmware development as well as hardware. Seems to be how it usually goes with consoles.

[QUOTE=No Party Hats;51485693]Uh that's a really bold claim? I mean obviously it might not mean much but if they're using same style of cartridges as the 3ds, isn't the way to homebrew usually prying open a vulnerability within a game? Idk I just feel like you can't say they're totally dissimilar with literally no rationale[/QUOTE] I'm specifically addressing your claim of "Well i wouldn't be shocked if a lot of what makes up the switch systemically will be adapted from the 3ds." It won't be. The 3DS's main professor (ARM11) is not the exact same architecture as the Switch (ARMv8) despite both being ARM. The 3DS also has to accommodate a coprocessor (the DS ARM9 processor, which is involved in exploits as well) that doesn't exist at all on the Switch. It should also be noted that there's a huge difference in finding a vulnerability in a game and finding a vulnerability in the kernel. Finding one in a game lets you run code in userland; this will let you do silly stuff like run DooM or whatever. But to do stuff like install custom firmware and/or pirate games, you need to gain ARM11 kernel access. This is what Nintendo is mostly interested in. Usually userland homebrew access is gained first, then it's used to run code that takes advantage of a kernel level exploit. None of these kernel level exploits are going to be on the Switch, because the hardware the firmware is written for does not exist on the Switch. It would make much more sense to write a new kernel for the Switch's OS (or base it on something like FreeBSD like mentioned earlier) than to port the ARM11 one from the 3DS. The user interface and stuff like that [I]might[/I] get ported, but that's not what's important.

It's entirely possible they have tons of reusable (and indeed reused) code just about anywhere. The most obvious place would be the SDK. But kernel code isn't all machine-specific either (or even kernel-specific; a bug in your libc could bite you in the ass anywhere). Either way the main reason they're doing this now is probably so both Nintendo and [del]1337 h4x0rs[/del] independent security researchers are accustomed to the process (and on board with using it) when the Switch hits.

Way too late for the 3DS. But this might save the switch.

Looks like some asshole bit the bait, all DSiWare titles associated with hacking have been pulled from all regions of the eShop [editline]7th December 2016[/editline] Rumor has it that these titles are not downloadable even if you previously purchased them

[QUOTE=chipsnapper2;51492135]Looks like some asshole bit the bait, all DSiWare titles associated with hacking have been pulled from all regions of the eShop [editline]7th December 2016[/editline] Rumor has it that these titles are not downloadable even if you previously purchased them[/QUOTE] that was already happening; the only one left was legends of exidia

Furthermore, Nintendo refuses to assist you with transferring NNIDs if the games purchased on the account are associated with hacking (Fieldrunners, Steel Diver: Sub Wars) [editline]7th December 2016[/editline] I also have a strong feeling that this crackdown is from the top - Nintendo of Japan is notorious for no fun allowed, no?

People will always find a vulnerability no matter what. Nintendo consoles are usually first to go when it comes to this kind of stuff, it's been that way since GameCube. Giving a bandage to the vulnerabilities isn't going to fix it. They need to fix their architecture before releasing consoles. Sony and Microsoft don't nearly have as much problems, (more so Microsoft).

[QUOTE=chipsnapper2;51492145]Furthermore, Nintendo refuses to assist you with transferring NNIDs if the games purchased on the account are associated with hacking (Fieldrunners, Steel Diver: Sub Wars) [editline]7th December 2016[/editline] I also have a strong feeling that this crackdown is from the top - Nintendo of Japan is notorious for no fun allowed, no?[/QUOTE] if they keep going like this theyre going to start alienating customers pretty fast. they started banning people who played sun and moon online functionality early, even if those people were playing a legitimate copy that they had just happened to get early

[QUOTE=da space core;51483294]so basically instead of having exploits be kept secret for homebrew, the exploits will be outed for nintendo to fix. instead of fighting the homebrew community, nintendo will have the homebrew community fight itself. this could lead to a lot of drama[/QUOTE] Kinda hard to do anything when the homebrew community generally already has their shit homebrewed. All I gotta do is hold LT while my 3DS launches and bam, homebrew loader. I'll be playing DooM on the 3DS until they release something on there that I can't live without. [editline]7th December 2016[/editline] [QUOTE=Zombii;51492522]if they keep going like this theyre going to start alienating customers pretty fast. they started banning people who played sun and moon online functionality early, even if those people were playing a legitimate copy that they had just happened to get early[/QUOTE] The only console dev that doesn't do this is Sony, so I don't think they've got too much to worry about on that end. [editline]a[/editline] And tbh I haven't played any games early on a PlayStation since the PS3 so I don't know 100%