Nintendo Hackers Told Us $20,000 Bug Bounties Aren't Going to Stop Piracy

This month, Nintendo expanded its bug bounty program to include the Nintendo Switch. The program, launched in December, previously only addressed 3DS vulnerabilities.

Organized through third-party vulnerability coordination and bug bounty platform Hacker One, Nintendo's bug bounty program is straightforward: Hackers who report vulnerability information about Nintendo's hardware systems will be paid—anywhere from $100 to $20K—depending on the severity of the exploit. And in exchange for reporting any vulnerability, the hacker turns over all ownership of his of her work to Nintendo.

Bug bounty programs are not a new phenomenon; tech companies like Facebook, Google, and Microsoft have all used them to patch their systems' vulnerabilities. Nor is the driving mechanism behind these programs new; they employ the same mentality that casinos employ when they hire professional gamblers and former cheats to run their security.

But it is notable that Nintendo waited this long—the 3DS launched in 2011—to implement such an initiative. That hesitancy is consistent with the company's longstanding ethos of extreme control, protectiveness over its creative properties, and adherence to family-friendliness. But now, only a month since the Switch's launch, Nintendo is reaching out to the hacker community. Could this signal a philosophical change in the company's approach to security?

When Jordan Rabet, known online as smealum, first cracked the 3DS's security in November 2014, such a collaborative bounty program did not exist. Then 22 years old and a student at Stanford University, Rabet was driven more by intellectual curiosity than anything else.

"For me, it's definitely not about the money, as I don't take donations and have yet to report anything to Nintendo in exchange for cash," said Rabet in an email to Motherboard. "My original motivation was to make it possible for people to make their own games on the 3DS."

"I only got into programming because hackers before me had opened up the GBA and the DS to amateur developers, and so I was able to make my own games for those," said Rabet. "Over time though, and as we achieved the goal [of cracking the 3DS], it became an interesting platform for reverse engineering and security research. The 3DS is pretty much completely broken now, but it's still interesting to try and bypass new security features and mitigations being introduced by Nintendo."

Rabet is not as invested in the Switch's security as he was in the 3DS's. On the other hand, his friend and colleague Plutoo is directly involved in current efforts to crack the Switch. Those efforts are still in their early stages, but it is already known that the Switch's OS and the 3DS's OS share a great deal in common.

"Switch has a microkernel architecture," said Plutoo in an interview with Motherboard. "Each driver is running as its own process outside the kernel. When we started with the Switch, it was all a black box. Most of it is still a black box. But we managed to get code-execution in the web browser. Then from the web browser process, I was able to read out the memory of a sysmodule—a term we use for privileged processes that are part of the OS but outside the kernel. Now that we have our hands on the code of the sysmodule, we can analyze it for flaws."

Does Plutoo feel that the new bug bounty program will affect the hacking community?

"It has had little effect on our scene, I think," said Plutoo. "I've always looked into Nintendo systems for fun and my own enjoyment. And I think that is true for most enthusiasts in the Nintendo hacking scene."

Rabet, however, does wonder if the program will have a chilling effect on collaboration between hackers.

"You don't want to share your bugs with someone who might just report them to Nintendo for money," said Rabet. "Console hackers have always been kind of private and paranoid about sharing their findings, but Nintendo actively incentivizing these reports will certainly not help people open up about what they're doing."

"It's likely that [the bug bounty program] will lead to more people from outside the traditional console hacking scene to look at Nintendo," continued Rabet. "But that probably won't happen for the Switch until it's already been broken publicly. The reason for that is while $20K might sound like a lot, that's the absolute maximum payout offered by Nintendo. It's probably [the payout] for breaking the console's deepest level of security, which means that getting there in the first place will require breaking through every other layer on the way. "

"Doing that just takes a lot of work: randomly probing attack surfaces for vulnerabilities, reverse engineering whatever binaries can be read back, and then actually exploiting whatever you find," continued Rabet. "At the end of the day, the amount of work required for the payoff doesn't seem worth it. There are much easier ways to make good money in this field."

And as for Rabet and Plutoo's potential participation in the bounty program? Nintendo shouldn't hold its breath.

"I don't think I'll ever participate under the current rules, as they require that the finder never disclose his or her findings publicly," said Rabet. "I feel like my work has more value published than not. That said, I respect what Nintendo is doing, and I typically do not release exploits using critical vulnerabilities until after they've been patched. In that sense, I wouldn't be opposed to entering the bounty if I could retain the right to do whatever I want with the vulnerability details after the fact. Currently, however, that doesn't seem possible."

"I like Nintendo. They give me puzzles to break, and I have nothing against giving something back in return," said Plutoo, who concedes that the program is a great initiative. "But if I were to report something, I'd like to play with it before it gets patched. The Switch bug I have right now? I have no plans to put it to the bounty."

And if you have a moment, please don't forget to vote for Motherboard in this year's Webby Awards. Thank you!